CyrusOne Ransomware Attack Whacks Six Managed Service Clients

The managed service clients have experienced availability issues due to a ransomware program encrypting certain devices in their network, according to a spokesperson for data center provider giant CyrusOne.

Six New York-area managed service customers of data center provider giant CyrusOne have been affected by a ransomware attack.

These managed service clients have experienced availability issues due to a ransomware program encrypting certain devices in their network, a spokesperson for Dallas-based CyrusOne said in a statement. The company said it’s currently working with law enforcement and forensics firms to investigate the attack, as well as with the involved customers to restore their affected systems.

“Our data center colocation services, including IX and IP Network Services, are not involved in this incident,” CyrusOne said in a statement provided to CRN. “Our investigation is ongoing and we are working closely with third-party experts to address this matter.”

[Related: Digital Realty Eyeing CyrusOne Acquisition: Report]

CyrusOne’s stock fell $1.10 (1.69 percent) to $64.01 in trading Thursday. The ransomware attack was first reported early Thursday by ZDNet.

The attack took place Wednesday and was caused by a version of the REvil (Sodinokibi) ransomware, according to ZDNet. That’s the same family of ransomware that hit several managed service provides in June, more than 20 Texas cities in early August, and upward of 400 dentists offices in late August.

Adversaries deliberately targeted CyrusOne’s network for attack, according to a copy of the ransom note obtained by ZDNet. The point of entry into CyrusOne’s network remains unknown, ZDNet said.

Financial and brokerage firm FIA Tech was one of the six customers affected by the ransomware attack, which caused an outage on the company’s cloud services, ZDNet said. FIA Tech didn’t name the data center provider, but ZDNet said a quick search identifies it as CyrusOne.

“There is currently no evidence that any data was exfiltrated,” FIA Tech said in a message to customers. “Instead, the attack was focused on disrupting operations in an attempt to obtain a ransom from our data center provider.”

Barring any unforeseen developments, CyrusOne doesn’t intend to pay the ransom, a source close to the company told ZDNet. The attack comes after Bloomberg reported that CyrusOne was considering selling itself.

In a regulatory filing from last year, CyrusOne explicitly listed “ransomware” as a risk factor for its business.

“We recognize the increasing volume of cyberattacks and employ commercially practical efforts to provide reasonable assurance such attacks are appropriately mitigated,” CyrusOne said in the filing. “Each year, we evaluate the threat profile of our industry to stay abreast of trends and to provide reasonable assurance our existing countermeasures will address any new threats identified.”