Cyber Incident Victim: Equinix
Date:
Sep 2020
Location:
Australia
Summary
Equinix, a global data center and colocation provider, experienced a Netwalker ransomware attack where threat actors demanded $4.5 million in bitcoin for a decryptor and to prevent the release of stolen data. The attackers provided a screenshot of allegedly compromised financial, payroll, and accounting information from Australian offices, threatening public disclosure if the ransom was not paid within three days. The company confirmed the security breach but stated its operations remained unaffected while the investigation continued. Security researchers identified 74 exposed remote desktop protocol servers linked to the victim in hacker markets, primarily in Australia, Turkey, and Brazil, highlighting potential initial access vectors for the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Equinix, a global data center and colocation provider operating in over 50 locations, experienced a Netwalker ransomware attack during the Labor Day holiday weekend in early September 2020. Threat actors deployed ransomware across Equinix systems, issuing a ransom note demanding $4.5 million (equivalent to 455 bitcoin at the time) for a decryptor and to prevent the public release of stolen data. The attackers imposed a three-day deadline for payment negotiations, threatening to leak exfiltrated data if contact was not established. Unlike standard Netwalker ransom notes observed previously, this variant included a unique link to a screenshot purporting to show stolen financial, payroll, and accounting data from Equinix’s Australian offices. The folders displayed in the screenshot suggested the compromise of sensitive internal business records. A dedicated Tor payment portal was created to facilitate the ransom transaction. Equinix publicly confirmed the cybersecurity incident in an official statement, acknowledging unauthorized access to internal systems but emphasizing that customer-facing data center operations remained fully functional without disruption. The company initiated an investigation to assess the scope of the compromise and data exposure.
Security researchers independently identified 74 Equinix remote desktop protocol (RDP) servers with exposed credentials circulating in underground hacker markets prior to the attack, with concentrations in Australia, Turkey, and Brazil. This exposure potentially provided initial access vectors for threat actors, though Equinix did not publicly confirm the intrusion method. The ransomware operators utilized double-extortion tactics, combining file encryption with data theft threats to pressure the victim. No evidence suggested Equinix paid the ransom. The company maintained that core services for colocation customers and interconnection partners were unaffected throughout the incident. Equinix’s investigation remained ongoing as of the article’s publication date, with no further details disclosed regarding data recovery processes or forensic findings. The incident highlighted risks associated with exposed administrative interfaces and the operational resilience challenges facing critical infrastructure providers during ransomware events.