Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Internap suffers ransomware attack.
New on LowEndTalk? Please Register and read our Community Rules.

Internap suffers ransomware attack.

SwiftnodeSwiftnode Member, Host Rep
edited October 4 in General

This seems to have flown under the radar. Internap experienced a ransomware attack and as a result has ceased offering email, database, and website services. - It does not appear they were able to restore any backups.

Statement:

On Wednesday, September 28th, between the hours of 2:11 am CDT and 5:41 am CDT, INAP was the target of a ransomware attack that affected the services we provide to you. One of our support technicians discovered the security issue at 8:00 am, CDT. INAP’s Chief Information Security Office was notified and invoked the incident response plan. The incident response team was able to determine the root cause and attack vector used, and quickly remediated the issue to prevent further damage. This was completed approximately at noon, Wednesday September 28th.

Unfortunately, your services are not recoverable because of this attack.

Additionally, multitenant website, database, and email hosting services will no longer be available following this event. We will be terminating these multitenant hosting services and removing the charges from your account effective immediately. The multitenant “GuestDNS” service was not impacted, and you can continue to make any DNS changes through the control panel.

Our recommended path forward is to re-create any affected services on a bare metal server and to upload your data from your local copies if available.

https://ot.inap.com/incidents/l3ly2y746v26

Comments

  • jarjar Member, Patron Provider

    @Swiftnode said: email hosting services will no longer be available

    Well, that's one way to take a beating like this:

    @Swiftnode said: your services are not recoverable because of this attack

    So now when everyone asks "Why didn't you have backups and how are you going to do better moving forward" they can just say "We fucked up, and we're not moving forward at all. Get out."

  • yoursunnyyoursunny Member, IPv6 Advocate

    Mentally strong provider deletes customer services immediately without trying to recover data.

    Thanked by 1zed
  • MikeAMikeA Member, Host Rep

    Well that's one way to expedite throwing in the towel for old services..

  • HostSlickHostSlick Member, Patron Provider
    edited October 4

    Did this attack wipe all Dedicated/Bare-metal Servers or what?

    Or why this:

    Our recommended path forward is to re-create any affected services on a bare metal server and to upload your data from your local copies if available. If you do not have a bare metal server with INAP please reach out directly to [email protected] for immediate sales support.

  • @HostSlick said:
    Did this attack wipe all Dedicated/Bare-metal Servers or what?

    Or why this:

    Our recommended path forward is to re-create any affected services on a bare metal server and to upload your data from your local copies if available. If you do not have a bare metal server with INAP please reach out directly to [email protected] for immediate sales support.

    They're no longer providing some services at all, they're saying if you need those then rent a server and run them yourself.

  • zedzed Member

    legacy services they didnt make much money on anyway so not worth the effort? that's how i read it, and can't really blame them.

    Thanked by 1MikeA
  • emgemg Member
    edited October 4

    One of the more recent trends in ransomware is to attack the backup infrastructure along with the primary target. The attacker's objective is to prevent the victim from eliminating the malware and restoring a clean backup. They may lurk on a system and take time to figure out how to prevent backup restoration.

    I know nothing about Internap or its operations. I wonder whether Internap had backups, but the attackers were able to infect, encrypt, or destroy them? Were their backups attached to the servers 24x7?

    Another thing that we do not know is Internap's decision process regarding the ransom demand. Did Internap attempt to pay the ransom? (Note that there is no guarantee that if you pay the ransom you will recover your data. There is also no guarantee about what the attacker may do with that data. They may or may not release, keep, or destroy the data, no matter what was promised.)

    If Internap did not pay the ransom, then it begs the question of what could motivate a decision not to pay? Ransom too high? Moral principles? The value of the shared hosting business was less than the ransom? It could be a communications or payment failure between Internap and the attacker.

    This attack should be a wakeup call for Internap's competitors to review practices, plans, and procedures. I hope my providers are paying attention.

    P.S. Do you think Internap will release the root cause and attack vector used, so that others will not fall prey to the same attacks? Any takers for that bet? (... or is Internap too embarrassed to admit their error?)

  • raindog308raindog308 Administrator
    edited October 5

    What kind of company loses their customers' data and doesn't even apologize?

  • LisoLiso Member

    No compensation?

    Thanked by 1gzz
  • yoursunnyyoursunny Member, IPv6 Advocate

    @Liso said:
    No compensation?

    Nigh Sect says: when in doubt, sue.

    Thanked by 1gzz
  • The worst part is the fact that the attacker probably has a copy of all customer file systems. Oh boy…

  • FranciscoFrancisco Member, Top Host, Host Rep

    @stevewatson301 said:
    The worst part is the fact that the attacker probably has a copy of all customer file systems. Oh boy…

    Probably not. Most likely just encrypted.

    This reminds me of 365 datacenters.

    Francisco

  • @emg said:
    One of the more recent trends in ransomware is to attack the backup infrastructure along with the primary target. The attacker's objective is to prevent the victim from eliminating the malware and restoring a clean backup. They may lurk on a system and take time to figure out how to prevent backup restoration.

    This seems the way to go. Free in Community up to 10 workloads.

    https://community.veeam.com/blogs-and-podcasts-57/veeam-v11-hardened-repository-aka-immutable-backups-275

    Thanked by 1emg
  • SmartHostSmartHost Member, Patron Provider

    I'd hate to see their credit card merchant statement next month...chargebacks galore.

  • atomiatomi Member

    It seems that they hide that incident report since link is forwarded and there are no reports or statement anywhere. Did they actually found some backups or just trying to handle PR?

  • SwiftnodeSwiftnode Member, Host Rep

    @atomi said:
    It seems that they hide that incident report since link is forwarded and there are no reports or statement anywhere. Did they actually found some backups or just trying to handle PR?

    That's a bit ironic given their status page is titled "Operational Transparency"

    Here's an archived link:

    https://web.archive.org/web/20221004130636/https://ot.inap.com/incidents/l3ly2y746v26

    And here's an archive of the archive;

    https://archive.ph/OBFk3

    Internap really showing the community exactly how not to handle breaches.

    Thanked by 1MikeA
  • ArkasArkas Moderator

    Noboday asked the obvious. Were they taking a nap?

    Thanked by 1emg
  • They can ‘perma’ nap now

Sign In or Register to comment.