RYUK Ransomware has hit a cloud service provider (CSP) that works closely with MSPs. The twist: The limited attack hit a data center system that the CSP acquired through M&A. The situation appears under control, no ransomware was paid and the CSP has nearly completed the data restore as of about 4:00 p.m. ET on Friday, May 10, MSSP Alert has learned.
For MSPs and CSPs considering mergers and acquisitions, the attack offers a timely cyber due diligence reminder: Carefully study the security standards and best practices of the asset you are acquiring. In this particular case, the CSP was in the process of decommissioning the acquired data center when the attack occurred this week.
Ransomware Hits CSP: Attack Details
The target was CloudJumper, a workspace as a service (WaaS) provider that partners closely with MSPs. The attack impacted less than one percent of CloudJumper's partners. But in a phone conversation and email exchange with MSSP Alert, company executives emphasized their ongoing commitment to those impacted partners.
JD Helms, president of CloudJumper, sent MSSP Alert the following statement:
CloudJumper recently discovered a virus-based strain of ransomware as it was in the process of impacting one of our legacy multi-tenant environments. This environment was obtained in an acquisition and CloudJumper has been actively migrating these customers to our standardized platforms.
The name of the virus that hit CloudJumper was RYUK – which according to sources was re-written and re-released in March of 2019. Initially, it had hit in December of 2018 when it impacted a number of American Newspapers and extorted over 600,000 bitcoins.
Upon learning of the incident, CloudJumper immediately took efforts to address the disruption. We continue to work diligently to restore impacted systems as quickly as possible. While our investigation remains ongoing, our immediate focus is on supporting impacted clients and restoring functionality.
At this time, we have no knowledge and no indication that client data has been accessed or acquired. Further, we do not believe any such access or acquisition has or will occur for the following reasons:
- This was a fast moving programmatic virus-based ransomware and not a data theft tool.
- There were no outbound data spikes to indicate a transfer of data.
- We caught and halted the infection in the process of spreading and as precaution isolated all systems from the public internet almost immediately.
- We understand the vector of attack the program used.
- We believe we have identified the origination point.
- That said, we are coordinating a third-party forensic investigation and will promptly let clients know if we learn of anything to the contrary.
This impacted less than 1% of our partner base.
This type of Ransomware would not have been successful in a CloudJumper built platform due to our security parameters and practices.
There has been no indication of data loss and we are following our restoration procedures.
No “ransom” was paid."
-end of statement-
RYUK Ransomware Repeatedly Hits MSP Ecosystem
This is the latest in a growing list of malware attacks to hit an MSP or a CSP that serves the MSP ecosystem. For instance:
- RYUK ransomware hit Data Resolution, an MSP in California earlier this year.
- Cybercriminals used Ryuk ransomware to collect at least $640,000 in Bitcoin from global organizations over a two-week span in 2018, according to master MSSP Perch Security.
We will update this story if more details emerge.