Equinix Fends Off Netwalker Ransomware, But the Ongoing Threat Is Real

In a statement published on its website, Equinix said that the ransomware attack on its infrastructure disclosed earlier this month has been fully contained. The attack didn’t affect customers and no data was lost, the provider of connectivity and data center services said.

“Our mitigation efforts have yielded full containment of the recent security incident,” the company wrote.

Equinix had said earlier that it was able to reach a milestone in its containment and mitigation efforts “that we believe will prevent the release of any data associated with this incident,” and that all internal systems were close to being fully restored.

The company still hasn’t released details about the attack, but according to a report by BleepingComputer, the particular strain of ransomware involved was Netwalker, and attackers asked for $4.5 million in ransom. The attackers didn’t just encrypt company systems and make them unusable, however; they also indicated that they stole files containing financial information, payroll, accounting, audits and data center reports.

Equinix did not confirm any details about Netwalker in its statement. The company hasn’t responded to repeated requests for comment by Data Center Knowledge.

With 2019 revenue of $5.5 billion and approximately 200 data centers around the world, Equinix supports thousands of customers, including many of the world’s largest corporations.

In August, a power outage at a London data center affected hundreds of Equinix clients, and there were many complaints about a lack of communication on the part of the data center provider. This time, however, Equinix posted regular updates about the attack and its response, even if the information provided was very limited.

In addition, there are no signs or public reports that any customers were affected, an indication that Equinix was well prepared for an attack of this type.

TAG Cyber’s Katie Teitler

“Their internal systems were kept separate from clients’ systems,” said Katie Teitler, senior analyst at TAG Cyber, a security research firm. “This is one of the principles of zero trust, and one of the reasons zero trust has been so buzzworthy in the last few years. If Equinix’s customers’ systems had been touched, this would be an even bigger story.”

Netwalker Hits Equinix, Other High-Profile Companies

The Netwalker ransomware allegedly used in the Equinix attack appears to have been involved in other recent high-profile attacks.

In June, the University of California, San Francisco, paid $1.14 million to attackers after ransomware took down servers at its school of medicine.

Netwalker is relatively new, active for about a year, according to a report by Heimdal Security, and was created by a group of Russian-speaking hackers.

In March, it shifted to a ransomware-as-a-service model, and in April the group behind it started recruiting experienced network hackers to go after big targets like businesses, hospitals and government agencies by looking for unpatched VPN appliances, weak Remote Desktop Protocol passwords, and exposed web applications.

The attackers use a pants-and-suspenders strategy to get their paydays. They would first shut down systems, encrypt all the files on them, and delete all the backups they could find. But if their victims had a good, isolated set of backups and a robust recovery plan, they would have a second threat: They would post screenshots of the files they stole on their public website, and if the victims didn’t pay up, they would expose the files themselves.

As a result, in March-July, malicious hackers used the ransomware to extort $25 million from victims, according to McAfee.

For victims, the cost of the ransom is …