Cyber Incident Victim: CyrusOne

On or around December 4, 2019, CyrusOne, a major publicly-traded US data center provider, suffered a ransomware attack impacting six of its managed service customers. The incident primarily affected customers located in the company's New York data center, where a variant of the REvil (Sodinokibi) ransomware encrypted devices within the customers' networks. CyrusOne confirmed the attack in a statement to ZDNet, clarifying that its core colocation services, internet exchange (IX), and IP Network Services remained unaffected. The company initiated an investigation involving law enforcement agencies and third-party forensic experts while assisting customers in restoring impacted systems. A ransom note recovered during the incident indicated the attack was deliberately targeted against CyrusOne's network infrastructure, though the initial intrusion vector remained unidentified at the time of reporting.

The ransomware infection caused significant operational disruptions, most notably for financial technology firm FIA Tech, one of the six affected customers. FIA Tech experienced a cloud services outage directly attributed to the attack, which it characterized in customer communications as an attempt to extort ransom payments from its data center provider—confirmed through circumstantial evidence as CyrusOne. Sources familiar with CyrusOne's response indicated the company did not intend to pay the ransom demand absent unforeseen developments. The incident highlighted CyrusOne's prior recognition of ransomware threats, evidenced by its explicit inclusion of ransomware as a business risk factor in SEC filings from the previous year. Forensic evidence from the attack, including a sample of the ransomware executable linked to the intrusion, appeared on VirusTotal shortly after the incident. CyrusOne operated 45 data centers globally with over 1,000 customers at the time, and the attack occurred amid reports of potential takeover interest in the company.