The colocation provider says it managed to mitigate the threat successfully. Other victims weren’t so lucky.

September 21, 2020

7 Min Read
Paying ransomware

By Maria Korolov

In a statement published on its website, Equinix said that the ransomware attack on its infrastructure disclosed earlier this month has been fully contained. The attack didn’t affect customers and no data was lost, the provider of connectivity and data center services said.

“Our mitigation efforts have yielded full containment of the recent security incident,” the company wrote.

Equinix had said earlier that it was able to reach a milestone in its containment and mitigation efforts “that we believe will prevent the release of any data associated with this incident,” and that all internal systems were close to being fully restored.

This article by Maria Korolov originally appeared on Channel Futures’ sister site, Data Center Knowledge.

The company still hasn’t released details about the attack, but according to a report by BleepingComputer, the particular strain of ransomware involved was Netwalker, and attackers asked for $4.5 million in ransom. The attackers didn’t just encrypt company systems and make them unusable, however; they also indicated that they stole files containing financial information, payroll, accounting, audits and data center reports.

Equinix did not confirm any details about Netwalker in its statement. The company hasn’t responded to repeated requests for comment by Data Center Knowledge.

With 2019 revenue of $5.5 billion and approximately 200 data centers around the world, Equinix supports thousands of customers, including many of the world’s largest corporations.

In August, a power outage at a London data center affected hundreds of Equinix clients, and there were many complaints about a lack of communication on the part of the data center provider. This time, however, Equinix posted regular updates about the attack and its response, even if the information provided was very limited.

In addition, there are no signs or public reports that any customers were affected, an indication that Equinix was well prepared for an attack of this type.


TAG Cyber’s Katie Teitler

“Their internal systems were kept separate from clients’ systems,” said Katie Teitler, senior analyst at TAG Cyber, a security research firm. “This is one of the principles of zero trust, and one of the reasons zero trust has been so buzzworthy in the last few years. If Equinix’s customers’ systems had been touched, this would be an even bigger story.”

Netwalker Hits Equinix, Other High-Profile Companies

The Netwalker ransomware allegedly used in the Equinix attack appears to have been involved in other recent high-profile attacks.

In June, the University of California, San Francisco, paid $1.14 million to attackers after ransomware took down servers at its school of medicine.

Netwalker is relatively new, active for about a year, according to a report by Heimdal Security, and was created by a group of Russian-speaking hackers.

In March, it shifted to a ransomware-as-a-service model, and in April the group behind it started recruiting experienced network hackers to go after big targets like businesses, hospitals and government agencies by looking for unpatched VPN appliances, weak Remote Desktop Protocol passwords, and exposed web applications.

The attackers use a pants-and-suspenders strategy to get their paydays. They would first shut down systems, encrypt all the files on them, and delete all the backups they could find. But if their victims had a good, isolated set of backups and a robust recovery plan, they would have a second threat: They would post screenshots of the files they stole on their public website, and if the victims didn’t pay up, they would expose the files themselves.

As a result, in March-July, malicious hackers used the ransomware to extort $25 million from victims, according to McAfee.

For victims, the cost of the ransom is …

… a small part of the total effect of the ransomware, as they lose business, pay for remediation, and incur other costs as part of their recovery efforts.

And then there’s the part that nobody wants to talk about, said Caleb Barlow, president and CEO of CynergisTek, a privacy and security company. Barlow was previously an IBM security executive, leading the IBM X-Force Threat Intelligence organization.


CynergisTek’s Caleb Barlow

“The real fear is not that they publish data; it’s that they change data,” he said. “With the level of access required to wipe or publish data, you could also just as easily change it, and the problem for any company is that if you lose the integrity of your data, you then have to question everything moving forward.”

In addition, the attackers could establish permanent footholds in your systems.

“If the adversary is still active on the network and you do not know where they are hiding, then further damage becomes a real concern,” he said.

Ransomware On the Rise

Netwalker is just one of many active ransomware campaigns that have stepped up attacks recently.

According to the latest Beazley Breach Insights Report, the number of incidents involving ransomware in the first quarter of 2020 increased by 25% compared to the last quarter of 2019.


Risk Based Security’s Inga Goodijn

“Ransomware operations have kicked into high gear this year, hitting a number of large organizations,” said Inga Goddijn, executive VP at Risk Based Security.

And no company is safe.

“The event at Equinix reinforces the old adage that no organization is immune from attack,” she said. “Our researchers see hundreds of breach announcements every year that begin with the phrase, ‘We take privacy and security seriously.’”

Often, the root cause comes down to basic security hygiene, since ransomware often comes in via unpatched systems, weak password or phishing emails.

And data center providers such as Equinix are juicy targets for ransomware like Netwalker.

“A cybercriminal group can minimally invest in a single human driver or automated ransomware attack but impact a large number of businesses — the data center’s client base,” said Francisco Donoso, director of global security strategy at Kudelski Security. “This means that their potential return on investment could be rather large. A single organization that was a client of the data center provider could pay for the decryption key, or the data center provider may be pressured to pay for the decryption key in order to restore critical services for their clients.”

In April IT services and data center provider Cognizant was hit by a ransomware attack that could cost it between $50 million and $70 million, the company told investors in July.

Last Christmas Eve, cloud hosting provider Data Resolution was brought down by a ransomware attack, according to security researcher Brian Krebs.

Also in December, a ransomware attack hit CyrusOne’s managed services division, affecting six customers at its New York data center.

Other data center providers hit by ransomware last year include SmarterASP.NET, A2 Hosting, and iNSYNQ. In all three cases, it took weeks to fully recover customer data.

On-premises enterprise data centers are also vulnerable.

Ransomware Is Costly

In the spring of 2019, a ransomware attack against Oslo-based aluminum producer Norsk Hydro cost the company between $72 million and $83 million, only $24 million of which was covered by cyber insurance, the company said in an annual report released earlier this year.

And the costliest ransomware attack so far this year was against Denmark-based facilities management company ISS World. In March, the company told investors that it will cost between $71 million and $127 million to recover.

“One of the main takeaways is that no organization or network is entirely safe from a ransomware attack,” said Jamie Hart, cyber threat intelligence analyst at Digital Shadows, a San Francisco-based cybersecurity company. “Vulnerabilities can be found, systems can be misconfigured, and employees can be misled.”

Data center managers should double-check that their remote desktop protocol servers are secure and do not allow open internet connections, he said. Also, that they use multifactor authentication, that privileges are limited to the least needed, that the number of administration accounts is minimized, and that all software and systems are patched and updated.

Data centers should also have a response plan in place, practice that plan, and train employees to spot phishing attacks.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like