All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Ransomware wipes out all CloudNordic servers and backups!
Excerpt from the translated notice on the CloudNordic website:
For customers in CloudNordic
Unfortunately, during the night of Friday 18-8-2023 at 04 a.m., CloudNordic was exposed to a ransomware attack, where criminal hackers shut down all systems. Websites, e-mail systems, customer systems, our customers' websites, etc. Everything. A break-in that has paralyzed CloudNordic completely, and which also hits our customers hard.Since we cannot and do not want to meet the financial demands of the criminal hackers for ransom, CloudNordic's IT team and external experts have been working hard to get an overview of the damage and what was possible to recreate.
Unfortunately, it has proved impossible to recreate more data, and the majority of our customers have thus lost all data with us. This applies to everyone we have not contacted at this time.
The hacking attack has been reported to the police.
Status
We are deeply affected by the situation, and are aware that the attack is also very critical for many of our customers. In addition to data, we also lost all our systems and servers and have had difficulty communicating. We have now re-established blank systems, e.g. name servers (without data), web servers (without data) and mail servers (without data)....
What happened?
It is our best estimate that when servers had to be moved from one data center to another and despite the fact that the machines being moved were protected by both firewall and antivirus, some of the machines were infected before the move, with an infection that had not been actively used in the previous data center, and we had no knowledge that there was an infection.During the work of moving servers from one data center to the other, servers that were previously on separate networks were unfortunately wired to access our internal network that is used to manage all of our servers.
Via the internal network, the attackers gained access to central administration systems and the backup systems.
Via the backup system, the attackers managed to gain access to:
All storage (data)
Replication backup system
Secondary backup system
The attackers succeeded in encrypting all servers' disks, as well as on the primary and secondary backup system, whereby all machines crashed and we lost access to all data.
No data breaches
The attack occurred by encrypting all disks for all virtual machines, and we have seen no evidence of a data breach. We have not seen the attackers have had access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out.We deeply regret the situation and thank the many loyal customers who have been with us over the years.
Sincerely
CloudNordic
Comments
Yes, deadpooling with no doubt
This is bancruptcy. Please press your disaster recovery button.
Read this on my news feed this morning, was happy I had never even heard of said company, but not sure if that is a good thing.
data
Sorry to tell you, but none of that will help you if you get ransomed.
"Anyways, we can't expect ransomware attacks to stop anytime soon. They won't.
It's important to properly secure your servers, especially as a hosting provider. That's what you're paid for.
Simple things like:
Can help save your entire company from deadpool, or alternatively, your data from disappearing into a void of encrypted nothingness.
At least configure external backups..."
You can read the full article here on LowEndBox.
I was surprised there is no mention for backups.
There was, they just intentionally left it out.
Aha, to encourage self-learning and think!
Excellent deadpool strategy. Fake a 'ransomeware attack', say sorry and exit.
goodbye random company
More about this https://techcrunch.com/2023/08/23/cloudnordic-azero-cloud-host-ransomware/
https://techcrunch.com/2023/08/23/cloudnordic-azero-cloud-host-ransomware/
Not the Nordic Cloud experts but idiots.
How can you act so grossly negligent. Boy why you not make magnet backups????
I'm not sure that is a good exit strategy in Northern Europe, where the authorities check both data leaks of this size (GDPR) and bankruptcies.
Nothing to check, everything is encrypted by ransomware. Probably some skids playing.
Exactly.
You have no idea how many things like this happen in this world.
I worked for a company with an annual turnover of hundreds of thousands of euros that produced software for their clients but also hosted the respective applications.
The scheme by which the infrastructure was thought was something like this: We have X OVH servers and Y Hetzner servers and we evenly distribute the applications in production so that server A is with a certain application in production and server B is a backup for server A but also has its own applications in production etc.
I realized that if my SSH key or that of 2 other colleagues who had full access got into the hands of the wrong people, they could have deleted both the production applications and their backups and the company would effectively have remained as it was about which we were discussing, without anything. (even Gitlab was hosted internally)
I suggested them to rent a special server for backups to be managed by another person with a separate SSH key and to pull backups from our servers to our servers.
Guess what? Nothing has changed even today and the respective company increases its turnover from one day to the next, until one day.
You have to think eventually that these companies might not have all been idiots. I mean, maybe they all were. But I feel like I've had enough of laughing about it, and now I'm to the point where I just want to know how it happened so I can learn something from it.
I'm also about to start working on an intended workflow and tutorials to help my customers backup their own data as they wish to do so, because as confident in my security as I may be, I have to wonder how many people got hit by events like this also thought the same. It's not about doubting my ability as much as it is being humbled by the idea that maybe I still have more to learn every day.
Ransomware attackers should be shot in the face. Victims should refuse to pay and offer reward for finding the attackers.
Good posture. I've always held the opinion in everything I do, and tell customers when they ask me if something is secure, "If it can be made, it can be hacked, period". Its simply a matter of time, money, and compute power, but everything out there can be hacked.
If we take that posture when creating and implementing things, hence backups, backups, backups, and more backups, it should help to partially mitigate the risk. Just be prepared for the possibility I tell customers, prepare for the worst possible scenario, and work back from that point.
There are always signs after hacking.
The internet providers are logging all internet traffic by law, and if you check 3. party websites, you will find traces that indicate passive footprinting.
For example, there is a lot of snapshot activity on the Wayback Machine, which could mean that the hackers have used it to monitor their website. Maybe since 2020.
Compare azero.dk (old website) vs azero.cloud (new website) on web.archive.org to see the difference between normal activity for a small website and the same website that might have been monitored passively.
Another reason to pull backups instead of pushing them.
Even if your System is fucked, your backups are fine.
+10000000000000000000000000000
That's the big pain👍
Now put yourself in the situation of all the customers, who knows if public services or people who have been there all their lives have made backups. Personally, I would not have backups of my emails and co.
My life would be ruined, I almost fainted when I knew the NAS system was broken and hopefully the backups would work.
Deleted
No matter how much money it would cost if I knew that the attackers really had the password to decrypt all the data, I would have even sold my eggs to decrypt everything.
After that, I would have gotten out of the business and most likely kicked myself.
It doesn't matter if you pull or push.
If your backup system uses the same ssh key or password that the other systems use, it doesn't matter.
Also, in my opinion, the backup system should always be from another manufacturer who also deals with the subject.
They use veeam and co. Have I read, what I just believe is this.
Their backup system was also set up in vsphere and the attacker had access to the complete hypervisor, he encrypts the backup partitions and veaam is overridden.
So my tip, always use a physical device for backups.