CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned.
CyrusOne is currently working with law enforcement and forensics firms to investigate the attack and is also helping customers restore lost data from backups.
The incident took place yesterday and was caused by a version of the REvil (Sodinokibi) ransomware.
This is the same ransomware family that hit several managed service providers in June, over 20 Texas local governments in early August, and 400+ US dentist offices in late August.
According to a copy of the ransom note obtained by ZDNet, this was a targeted attack against the company’s network. The point of entry is currently unknown.
CyrusOne has not yet publicly disclosed the incident. A CyrusOne spokesperson was not available for comment, either via phone call, email, or a live support chat via the company’s website.
FIA Tech, a financial and brokerage firm, has informed customers today that an outage of their respective cloud services originated at their data center provider. FIA Tech did not name the data center provider, but a quick search identified it as CyrusOne.
In a message to customers, FIA Tech said “the attack was focused on disrupting operations in an attempt to obtain a ransom from our data center provider.”
A source has told ZDNet today that the incident has not impacted all of CyrusOne’s data centers, but that restoring servers and customer data will be a lengthy process. We’ve been told CyrusOne does not intend to pay the ransom demand, barring any future unforeseen developments.
The company owns 45 data centers in Europe, Asia, and the Americas, and has more than 1,000 customers. It is also considering a sale after receiving takeover interest over the summer, according to Bloomberg.
CyrusOne is a publicly-traded, NASDAQ-listed company (NASDAQ:CONE). In an SEC filing last year, the company explicitly listed “ransomware” as a risk factor for its business (page 23).
A copy of the ransomware executable that is believed to have infected the company’s network was uploaded on VirusTotal earlier today.