Nebulous attribution clouds assault

US-based cloud hosting provider is in the process of recovering its systems after getting hit by the Ryuk ransomware over the winter holidays.

News of the apparently profit-motivated hack, yet to be publicly acknowledged by the Microsoft hosting partner, was broken by investigative reporter Brian Krebs on Wednesday.

Data Resolution informed customers that it was hit on Christmas Eve (December 24) by the same strain of ransomware that hobbled the operations of several big US newspapers including the LA Times and Chicago Tribune last weekend.

Data Resolution, which offers cloud computing and data center services to 30,000 businesses worldwide, has called in external help and is in the process of restoring data from backups.

According to status updates to its customers obtained by Krebs, Data Resolution hackers abused a compromised login account to infect servers with Ryuk, a ransomware variant.

Cybercriminals briefly seized control of Data Resolution’s data center domain, locking the hosting provider out of its own systems in the process.

In response, Data Resolution shut down its network to contain the breach before embarking on the painstaking process of cleaning up the outbreak and restoring affected systems and services.

Those behind the attack demanded payment in return for encryption keys, a demand Data Resolutions resisted in favour of restoring data from backups. Customer data was not exposed by the attack, the hosting provider assured customers.

As of Wednesday (January 2), the cloud hosting provider was working to restore email access and multiple databases for clients, included hosted installations of hosted ERP and SQL Server databases.

The Daily Swig contacted Data Resolution for comment on the reported ransomware outbreak through its web form but we’re yet to hear back. We’ll update this story as and when more information comes to hand.

Attacks on hosting firms or cloud service providers are rare, but not unprecedented. For example, cloud hosting provider Cloudnine suffered an outage that spanned several days after a ransomware attack based in 2017.

The Ryuk malware linked to both the attack on the Tribune group of newspapers and Data Resolution is typically spread using a targeted attack rather the spray and pray spamming tactics associated with mainstream malware campaigns.

Ryuk crops up as a secondary payload after infection by other malware, or as part of an attack where hackers first break into vulnerable systems before essentially planting the pathogen, as in the Data Resolution incident.

Attacks featuring Ryuk last year were linked to the Hermes malware-based operations tied to North Korea by Check Point and others. More recent Ryuk attacks have leveraged the Trickbot banking trojan.

Although speculation on blame in the latest cases has once again pointed towards Pyongyang, the evidence is sketchy at best, especially when alternative explanations offer a credible alternative hypothesis, as discussed in an informative thread by ICS security expert Robert Lee on Twitter.