According to CloudNordic's statement, the ransomware has "paralyzed CloudNordic completely", shutting down all of its systems and wiping out customer Websites, e-mail systems, customer systems, our customers' websites, etc. Everything. The company's backup systems and replication servers were also impacted, leaving CloudNordic unable to recover or recreate customer data.
"We cannot and do not want to meet the financial demands of the criminal hackers for ransom," CloudNordic said in an online notice, translated from Danish.
"We are deeply affected by the situation, and are aware that the attack is also very critical for many of our customers. In addition to data, we also lost all our systems and servers and have had difficulty communicating. We have now re-established blank systems, e.g. name servers (without data), web servers (without data) and mail servers (without data)" — CloudNordic further added.
While the ransomware is not believed to have exfiltrated data, the wholesale encryption across CloudNordic's networks has rendered customer data inaccessible. With no ability to pay the ransom demand, CloudNordic is advising all customers to consider their data permanently lost.
CloudNordic believes the ransomware initially infected some servers ahead of a planned data center migration. When these infected servers were connected to the company's main network, the ransomware was able to spread rapidly and compromise administrative systems, storage, and backups.
"It is our best estimate that when servers had to be moved from one data center to another and despite the fact that the machines being moved were protected by both firewall and antivirus, some of the machines were infected before the move, with an infection that had not been actively used in the previous data center, and we had no knowledge that there was an infection." — CloudNordic statement.
With customers facing significant disruption, CloudNordic is offering to slowly restore basic website and email services without data. However, the company admits this will be a slow process and is recommending that affected customers immediately seek alternative providers to minimize downtime.
CloudNordic said they reported the intrusion to the police.
Cloud provider said, adding:
"We have not seen the attackers have had access to the data content of the machines themselves, but to administration systems from which they could encrypt entire disks. Very large amounts of data were encrypted, and we have seen no signs that large amounts of data have been attempted to be copied out."
As of today, CloudNordic said it's ready to get customers' web and email servers — without data — back online, albeit without DNS at present. To restore these services, the firm says to email: [email protected] with the word RESTORE in the subject line.
CloudNordic's advice that customers consider all data lost underscores the potential severity of ransomware attacks on cloud providers. With so many businesses dependent on the cloud, the outage will likely have ripple effects across Denmark's technology sector.