Cyber Incident Victim: 2NetworkIT
Date:
Dec 2022
Location:
Canada
Summary
An Ottawa-area IT services firm experienced a ransomware attack attributed to the Cuba strain, resulting in 11 encrypted servers and temporary service disruption. The victim fully restored operations within 48 hours using resilient offline backups, though customers lost one day of email and data. Attackers deployed unauthorized scripts to encrypt drives, including one network-attached backup system, but failed to compromise isolated virtual machine and offline backup servers. The Cuba gang threatened data leakage but provided no evidence of exfiltration, leading the victim to believe no data was stolen. Initial compromise is suspected to stem from a malicious attachment via a customer. The incident aligns with broader targeting of NATO countries by suspected Russian-aligned threat actors, based on historical linguistic indicators observed during prior negotiations with the group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 8, 2022, at approximately 2:00 a.m., attackers deployed the Cuba ransomware strain against 2NetworkIT, an Ottawa-area IT services provider based in Orleans, Ontario. The compromise encrypted 11 servers, including one network-attached storage backup system, and disrupted hosted office productivity applications for the company’s 30 customers. Marc Villeneuve, the company owner, detected anomalies around 5:00 a.m. when attempting to access email and finding servers unresponsive. Initial troubleshooting revealed 46 services offline, followed by the discovery of unauthorized scripts automatically executing across domain controllers. These scripts systematically mapped and encrypted all accessible drives. Villeneuve remotely shut down all company servers to contain the attack. A separate server hosting virtual machines and offline data backups remained unaffected due to its isolated network segmentation. The attackers demanded contact within three days under threat of publishing allegedly stolen data on their leak site, listing 2NetworkIT’s name publicly by that Sunday.
The incident resulted in the loss of one full day’s worth of customer email and data, though no financial payments were made to the threat actors. Full service restoration occurred within 48 hours through the use of resilient offline backups, which enabled data recovery without system compromises. Villeneuve attributed the attack vector to a suspected malicious attachment clicked by a customer, despite maintained server patching. While the Cuba ransomware group claimed possession of financial documents, tax records, and source code, Villeneuve disputed data exfiltration due to the absence of file directory previews or screenshots on the gang’s leak site. The U.S. Cybersecurity and Infrastructure Security Agency and FBI had previously linked the Cuba group to Russian-speaking actors exploiting vulnerabilities, phishing, and stolen credentials across 101 entities globally. 2NetworkIT’s recovery emphasized the operational preservation of segmented backup systems alongside rapid containment through server shutdowns.