Cyber Incident Victim: A2 Hosting
Date:
Apr 2019
Location:
United States of America
Summary
A ransomware attack targeted a web hosting provider, crippling its Windows-based servers and causing extended downtime. The infection, suspected as GlobeImposter 2.0, entered through the Singapore data center and spread, prompting the company to take all affected servers offline to contain the outbreak. Customers reported encrypted files with .lock extensions and faced severe business disruptions, including lost search rankings and customer bases, while criticizing poor communication and support delays. Restoration efforts from backups progressed slowly, partially resuming services in US and EU regions, but the Singapore infrastructure remained inoperable. The incident raised concerns about potential data theft following service recovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 23, 2019, A2 Hosting suffered a ransomware attack targeting its Windows-based virtual private servers and WordPress hosting infrastructure. The infection originated in the company’s Singapore data center before propagating to other Windows Server instances across its network. Customers observed files being encrypted and renamed with a .lock extension, consistent with the GlobeImposter 2.0 ransomware strain based on the file extension and attack timeline. A2 Hosting responded by taking all Windows servers offline to contain the spread, simultaneously disabling Remote Desktop Protocol (RDP) access to limit further intrusion vectors. The outage persisted for eight days, with restoration efforts focusing on recovering systems from backups. By May 1, partial service restoration was achieved for US and European customers, though the Singapore data center remained inoperable. The company maintained minimal communication during the incident, directing customers to a status page with limited operational updates while support channels experienced severe delays.
The prolonged downtime caused significant financial and operational damage to customers, many of whom reported losing Google search rankings, customer bases, and revenue streams due to inaccessible websites and databases. One customer described losing a year’s worth of search engine optimization progress and a growing clientele, while others criticized A2 Hosting’s lack of transparency regarding restoration timelines or data integrity assurances. Social media platforms hosted widespread complaints about unresolved support tickets and hour-long phone hold times. Although A2 Hosting avoided confirming the attack publicly, its restoration efforts prioritized rebuilding US and EU systems from backups, leaving Singapore’s infrastructure offline with unresolved security concerns. Customers expressed apprehension about potential data theft given the ransomware’s access to systems, with one emphasizing the criticality of independent backups after experiencing data loss. The incident contributed to a broader trend of escalating ransomware attacks observed throughout 2019.