Delaware, USA – May 2, 2019 – Ransomware attack on a US-based web hosting provider disabled the company’s Windows servers for eight days. As reported by A2 Hosting, the incident occurred on April 22, the security team detected the file encryption process on Windows hosting servers and shut down all of them to prevent the spread of infection. Adversaries allegedly compromised the RDP connection and penetrated the company’s data center located in Singapore, from where they could get access to other data centers worldwide. According to indirect evidence, the attackers used GlobeImposter 2.0 ransomware. A2 Hosting is investigating the incident together with an unnamed security company, recovering data from backups took more than a week and it looks like the process is still ongoing, as access is restored to servers in the United States and Europe, and the Singapore data center is still unavailable. As a result of the attack, many of the company’s clients suffered financial losses.
The group behind the spread of GlobeImposter 2.0 ransomware conducted several successful attacks on organizations in April, and at least some of the victims chose to pay a ransom to decrypt their data. Investigations have shown that cybercriminals brute-force RDP connections and then install ransomware on all accessible servers. It is also worth noting that another group attacks organizations using a recently patched vulnerability in Oracle WebLogic components. Attackers use compromised WebLogic servers to distribute Sodinokibi and GandCrab ransomware across the organization’s network. In order to detect suspicious connections to your network, you can use the VPN Security Monitor rule pack which helps SIEM to monitor security events tied to access control: https://my.socprime.com/en/integrations/vpn-security-monitor-arcsight