Cyber Incident Victim: CloudNordic
Date:
Aug 2023
Location:
Denmark
Summary
A ransomware attack paralyzed a Danish cloud provider by encrypting all servers and backups during a data center migration, rendering data irretrievable. Attackers exploited pre-existing infections on servers inadvertently connected to internal networks, gaining access to administrative and backup systems. The company refused ransom demands, resulting in total data loss for most customers. While no evidence of data exfiltration was found, the provider restored empty DNS, web, and email systems to facilitate service rebuilding or migration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 18, 2023, at approximately 4:00 AM local time, Danish cloud provider CloudNordic suffered a comprehensive ransomware attack that paralyzed all operational systems. The intrusion disabled customer websites, email systems, internal infrastructure, and administrative platforms, rendering the company inoperable. CloudNordic immediately engaged its IT team and external cybersecurity experts to assess the damage but confirmed within days that data recovery was impossible for most customers. Attackers had encrypted storage systems, primary replication backups, and secondary backup infrastructure, leaving no viable restoration paths. The company publicly refused to pay the ransom, citing an unwillingness to fund criminal enterprises, and reported the incident to law enforcement. Initial communications advised affected customers—primarily those not directly contacted by CloudNordic—to assume total data loss. By August 22, CloudNordic restored minimal infrastructure, including blank DNS, web, and email servers devoid of customer data, to facilitate service reactivation. Customers were instructed to email [email protected] with “GENOPRET” or “RESTORE” in the subject line, providing domain details and contact information for verification and provisional access. The company acknowledged severe communication challenges due to the loss of internal systems and warned of extended delays in processing requests, particularly for domain transfers requiring authorization code verification.
The attack originated during a planned migration of servers between data centers, where pre-existing malware on some machines activated after network reconfiguration. Despite firewall and antivirus protections, compromised servers—previously isolated—were inadvertently connected to CloudNordic’s internal administrative network during the move. This allowed attackers to pivot into central management systems, storage arrays, and both primary and secondary backup environments. Forensic analysis indicated the ransomware operators encrypted all virtual machine disks and backup repositories but found no evidence of data exfiltration or access to customer data content. CloudNordic emphasized that the encryption process alone caused the outage, not theft or exposure of sensitive information. By August 28, the company collaborated with domain registrar Punktum to restore three-week-old DNS zone files for .dk domains, partially reactivating external services like Gmail and Office 365 for affected clients. Customers without backups were directed to reconstruct websites using tools like SecurityTrails or the Wayback Machine. CloudNordic disclosed financial insolvency due to the attack, ruling out customer refunds while continuing to wind down operations under its azero.cloud brand. Police and third-party investigators retained access to encrypted systems until late August, after which CloudNordic planned hardware decommissioning.