Delaware, USA – December 6, 2019 – One of the biggest data center providers in the United States confirmed the cybersecurity incident affected customers primarily serviced by CyrusOne’s New York Data Center. CyrusOne does not disclose the details of the attack and conducts an investigation. At the same time, ZDNet has evidence indicating that Sodinokibi (REvil) ransomware was used in the attack, and on the day of the attack, the executable was downloaded to VirusTotal, which was supposedly used in this attack. Unlike Sodinokibi’s past “successes” in the United States, this time the attackers were unable to infect more than one data center and as a result only six customers of CyrusOne were impacted, and now the company recovers their data from backups.
Sodinokibi ransomware is the “heir” of the GandCrab Ransomware-as-a-Service platform. After part of the team went out of business, the remaining developers created a new ransomware strain based on GandCrab and attracted the most advanced affiliates to spreading it. Over six months of existence, Sodinokibi has been included in the short-list of the most dangerous ransomware along with Ryuk and MegaCortex. Since many affiliates use different methods for penetration and infection, and the creators of Sodinokibi are constantly updating it, it is extremely difficult to detect attacks on time.
Content to detect this threat is available on Threat Detection Marketplace:
Sodinokibi Ransomware Detector (Sysmon Behavior)(July 2019) – https://tdm.socprime.com/tdm/info/oJUl4bUYHjlG/
Sodinokibi Ransomware detected – https://tdm.socprime.com/tdm/info/ASpLxqo0ejXK/