Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets, a cloud hosting provider headquartered in San Juan Capistrano, CA and with data centers in Los Angeles CA, Reston VA, London UK, Hamilton Bermuda, and Canada, was infected with ransomware on Christmas Eve, 2018. It appears that the firm declined to pay any ransom, and is reconstituting the files manually and from backups., a cloud hosting provider headquartered in San Juan Capistrano, CA and with data centers in Los Angeles CA, Reston VA, London UK, Hamilton Bermuda, and Canada, was infected with ransomware on Christmas Eve, 2018. It appears that the firm declined to pay any ransom, and is reconstituting the files manually and from backups.

According to these notices, the ransomware concerned is Ryuk; the same ransomware that disrupted the delivery of several major U.S. newspapers in the last weekend of 2018. However, this attribution comes from Data Resolution’s notice to customers: “Christmas Eve; Ryuk ransomware attach occurred — Point of Origin North Korea.”

At this point, Data Resolution’s assertion is not definitively affirmed. It may simply be that encrypted files were assigned the .ryk extension as happened in the weekend newspaper attack. Similarly, the association of Ryuk with North Korea (and more specifically the Lazarus Group) is primarily based on a Check Point study published in August 2018. Check Point was by no means definitive. It reported, “Both the nature of the attack and the malware’s own inner workings tie Ryuk to the HERMES ransomware and arouse curiosity regarding the identity of the group behind it and its connection to the Lazarus Group.”

Nevertheless, what little is currently known does seem to point to Ryuk. Luis Corrons, security evangelist for Avast Software, told SecurityWeek, “We still have limited information. However, the attack strategy is similar to those of SamSam in the way that the attackers gain access to the network. Before attacking the first compromised system they do a full exploration of the network to identify the key systems and then launch a full-scale attack. By doing this, the attackers can ask for higher ransoms. I would say it is too early to talk about attribution at this point.”

In November 2018, Sophos described BitPaymer, Dharma and Ryuk as ransomware attacks that had adopted the attack strategy pioneered by SamSam; that is, manually breach the target (usually via RDP), reconnoiter the network, and then encrypt those files that will cause the most damage. This makes recovery from a targeted attack more difficult than recovery from a standard spray and pray ransomware attack, and allows the attackers to demand a higher ransom.

The most high-profile SamSam attack to date was that against the City of Atlanta in March 2018. Like Data Resolution, Atlanta declined to pay the ransom and sought to recover their own files. This proved more difficult than expected. In June 2018, Atlanta information management head Daphne Rackley told the City council that her department would need an additional $9.5 million over the coming year because of the ransomware.

Without more information from Data Resolution it is impossible to say how deeply its own attack has gone. However, the implication is that recovery is not straightforward. A status update from the firm to its customers — also obtained and published by Krebs — shows that by 2 January 2019, the firm was still struggling to restore many of its services more than a week after the attack became apparent. (If SecurityWeek receives a reply to its request for information from Data Resolution, it will be appended to this article.)

Because Data Resolution is an MSP, the attack has also been linked to the Cloud Hopper campaign emanating from China. “The ransomware attack on Data Resolution should leave other MSPs with no doubt,” said Brian Downey, senior director, security product management at Continuum in an emailed comment: “the channel is now the target for cybercriminals. Gaining access into an MSP’s service network can provide access to the individual customers they serve. Just two weeks ago we saw that law enforcement has identified the threat from organized cyber attackers and we now have the first public reports of an MSP getting hit.”

He added, “Make no mistake: this new attack proves that cybercriminals know the money is in attacking small businesses through their MSPs.” This is obliquely accurate. While the Cloud Hopper campaign seems to have been motivated more by espionage than direct financial gain, the Data Resolution attack is motivated primarily by financial gain. One of the Data Resolution notices asserts, “Your data does not look compromised; These are hijackers not thieves.”

It is perhaps a bit premature to claim that no data has been stolen, but that would certainly fit the normal approach taken by targeted ransomware. However, one motivation for attacking MSPs with ransomware may be an attempt to manipulate service level agreements between the MSP and its SMB clients. It may be that the cost of breaching SLAs because of the loss of service could be considered a major incentive to just pay the ransom.

It hasn’t worked in this instance — and Downey is accurate in his suggestion that MSPs are emerging as a primary target for hackers: for access to customers, and for direct extortion.

Related: Operation Cloud Hopper: China-based Hackers Target MSPs

Related: DHS Warns of Attacks on Managed Service Providers 

Related: Mitigating Risk of Supply Chain Attacks 

Related: U.S. Charges Two Iranians Over SamSam Ransomware Attacks 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.