Dataresolution.net, a cloud hosting provider headquartered in San Juan Capistrano, CA and with data centers in Los Angeles CA, Reston VA, London UK, Hamilton Bermuda, and Canada, was infected with ransomware on Christmas Eve, 2018. It appears that the firm declined to pay any ransom, and is reconstituting the files manually and from backups.
According to these notices, the ransomware concerned is Ryuk; the same ransomware that disrupted the delivery of several major U.S. newspapers in the last weekend of 2018. However, this attribution comes from Data Resolution’s notice to customers: “Christmas Eve; Ryuk ransomware attach occurred — Point of Origin North Korea.”
At this point, Data Resolution’s assertion is not definitively affirmed. It may simply be that encrypted files were assigned the .ryk extension as happened in the weekend newspaper attack. Similarly, the association of Ryuk with North Korea (and more specifically the Lazarus Group) is primarily based on a Check Point study published in August 2018. Check Point was by no means definitive. It reported, “Both the nature of the attack and the malware’s own inner workings tie Ryuk to the HERMES ransomware and arouse curiosity regarding the identity of the group behind it and its connection to the Lazarus Group.”
Nevertheless, what little is currently known does seem to point to Ryuk. Luis Corrons, security evangelist for Avast Software, told SecurityWeek, “We still have limited information. However, the attack strategy is similar to those of SamSam in the way that the attackers gain access to the network. Before attacking the first compromised system they do a full exploration of the network to identify the key systems and then launch a full-scale attack. By doing this, the attackers can ask for higher ransoms. I would say it is too early to talk about attribution at this point.”
In November 2018, Sophos described BitPaymer, Dharma and Ryuk as ransomware attacks that had adopted the attack strategy pioneered by SamSam; that is, manually breach the target (usually via RDP), reconnoiter the network, and then encrypt those files that will cause the most damage. This makes recovery from a targeted attack more difficult than recovery from a standard spray and pray ransomware attack, and allows the attackers to demand a higher ransom.
The most high-profile SamSam attack to date was that against the City of Atlanta in March 2018. Like Data Resolution, Atlanta declined to pay the ransom and sought to recover their own files. This proved more difficult than expected. In June 2018, Atlanta information management head Daphne Rackley told the City council that her department would need an additional $9.5 million over the coming year because of the ransomware.
Without more information from Data Resolution it is impossible to say how deeply its own attack has gone. However, the implication is that recovery is not straightforward. A status update from the firm to its customers — also obtained and published by Krebs — shows that by 2 January 2019, the firm was still struggling to restore many of its services more than a week after the attack became apparent. (If SecurityWeek receives a reply to its request for information from Data Resolution, it will be appended to this article.)
Because Data Resolution is an MSP, the attack has also been linked to the Cloud Hopper campaign emanating from China. “The ransomware attack on Data Resolution should leave other MSPs with no doubt,” said Brian Downey, senior director, security product management at Continuum in an emailed comment: “the channel is now the target for cybercriminals. Gaining access into an MSP’s service network can provide access to the individual customers they serve. Just two weeks ago we saw that law enforcement has identified the threat from organized cyber attackers and we now have the first public reports of an MSP getting hit.”
He added, “Make no mistake: this new attack proves that cybercriminals know the money is in attacking small businesses through their MSPs.” This is obliquely accurate. While the Cloud Hopper campaign seems to have been motivated more by espionage than direct financial gain, the Data Resolution attack is motivated primarily by financial gain. One of the Data Resolution notices asserts, “Your data does not look compromised; These are hijackers not thieves.”
It is perhaps a bit premature to claim that no data has been stolen, but that would certainly fit the normal approach taken by targeted ransomware. However, one motivation for attacking MSPs with ransomware may be an attempt to manipulate service level agreements between the MSP and its SMB clients. It may be that the cost of breaching SLAs because of the loss of service could be considered a major incentive to just pay the ransom.
It hasn’t worked in this instance — and Downey is accurate in his suggestion that MSPs are emerging as a primary target for hackers: for access to customers, and for direct extortion.