Ransomware Attack on Cloud Nordic

On 18 August 2023, Cloud Nordic fell victim to a ransomware attack. A veritable disaster scenario ensued. On its website, Cloud Nordic clearly states how critical the situation is: “The attackers managed to encrypt all hard drives of the servers as well as the primary and secondary backup systems. This rendered all systems unusable and access to all data was lost. […] Unfortunately, recovery was not possible, and the majority of our customers lost all their data stored with us.”

Continuing, the Cloud Nordic team explains, “The attack happened after we unknowingly moved infected systems from one data centre to another. Unfortunately, the target data centre was connected to the internal network through which all our servers are managed. Through this internal network, the attackers were able to access the central management systems and the backup systems.”

No hardened and shielded backup system

From a technical perspective, there are solutions and technologies that can best protect the backup from encryption or compromise during a ransomware attack. However, our experience also shows that in many cases there are no hardened and shielded backup systems and often no recovery plans tested to the necessary extent.

In the current climate, the success of this attack is not surprising. Organisations around the world are facing increasingly frequent, sophisticated and consequently professional attacks. Cloud Nordic is far from the only victim.

Secure and control data in an isolated environment

The use of snapshots and similar techniques does not adequately protect the data to be restored, because it remains on the same primary platform – even if snapshots are additionally replicated. For adequate protection, it is essential to back up and control the data in an isolated environment. Combinable solution modules are available for this purpose:

In a first step, special attention should be paid to the system hardening possibilities of a backup and recovery solution. The question that each and every IT manager must ask is whether the backup and recovery tool currently in use actually enables the relevant system architecture to decimate the attack vectors. The next step is to weigh up what degree of hardening the company can actually guarantee through its own personnel and whether the use of fully integrated solutions does not significantly reduce the risk for one’s own organisation.

Ideal case Isolated Recovery Environment (IRE)

Air-gapping provides a method by which the backups performed are stored independently of the production network. This should be combined with data immutability to provide a WORM (Write Once Read Many) storage to protect the “last line of defence”.

Ideally, the company establishes a so-called Isolated Recovery Environment (IRE), i.e. a shielded environment that only opens access to the production-related backup system at certain times to transfer the latest backups, and then seals itself off from the rest of the network again independently. At the same time, an IRE should be hardened as best as possible and have the functionality of an immutable backup storage natively integrated, as well as guarantee the possibility of direct and thus time-optimised restoration of backups. At the same time, modern solutions offer the possibility of evaluating backups on the basis of typical risk indicators, scanning them fully automatically with antivirus technology and thus enabling a secure restoration at the push of a button.

Accurately inform about the measures taken by the cloud provider

The attack on Cloud Nordic is a powerful reminder of how important it is for cloud customers to accurately assess the shared responsibility model principle listed in their contracts with their service providers. According to this, cloud providers commit to the availability of their services by default, but customers bear the responsibility for the resilience of their data, as well as for regular backup and recovery capabilities. They should therefore be well informed about the provider’s measures, assess them professionally and, if necessary, plan and implement adjustments or changes to their own data management concept, in accordance with their IT strategy and the requirements of their IT governance and risk management system.

Patrick Englisch

is Regional CTO DACH at Veritas Technologies.