Managed IT services provider NetGain Technologies has been forced to take some of its data centers offline following a ransomware attack launched in late November.

The Minnesota-based company claims that it took down “a number” of its data centers as a protective measure in an effort to “contain this threat and restore services”.

Although NetGain fell victim on 24 November, it was not until Friday 4 December that the company started to email clients, warning them that they may experience “system outages or slowdowns” due to the ransomware attack, according to Bleeping Computer. Over the weekend, the company started to shut down data centers in a bid to isolate the ransomware attack and rebuild affected systems.

Rebuilding the domain controllers

In a missive to clients, the company added that it was “running tools and scans to detect, isolate, and clean-up any affected environments” alongside security specialists and experts in post-incident recovery that it had drafted in. However, it remains unable to give clients a firm estimate when it will be able to restore services.

While NetGain has chosen not to release much information to the public, it has been more forthcoming in briefings with clients.

According to one of its customers, before bringing data centers back online NetGain needs to rebuild its domain controllers, and scan its networks. Then it will need to scan each individual server for malware or other anomalies.

The client added that the attack had targeted the data center operator’s domain controllers, which manage networks of thousands of servers, but it also needs to make sure that the attackers have not got any further than that.

Services, added the client, ought to start going back online today following scans, and after other security checks and security updates have been completed. More than 60 staff have been working around the clock to resolve the issue.

The NetGain compromise comes just two months after the internal systems of data center giant Equinix were hit with ransomware. However, in that instance the data centers remained fully operational. In late 2019, a CyrusOne data center was also attacked with ransomware, an attack that ended up affecting six customers.

The NetGain compromise comes as ransomware attackers are starting to up their game with partnership platforms, and streamlining their attack tools to better evade detection. In addition, some have started to exfiltrate data from compromised systems before launching their attacks in order to give themselves extra leverage over their victims.

The attackers then threaten to release sensitive data if their ransom demands are not met. In some instances, companies have been taken down for a month or more.

At the end of December in 2019, global foreign exchange company Travelex was forced to take its systems down throughout January following a ransomware attack launched on New Year’s Eve. Customers across the world with foreign exchange tied up in Travelex foreign currency cards were unable to access their cash as a result. Banks that relied upon Travelex to provide foreign exchange were forced to suspend the services.

Travelex management, meanwhile, was roundly criticised for releasing barely any information about the attack for the first two weeks - not even informing the UK’s Information Commissioner’s Office (ICO) about the attack.

The company reportedly paid a ransom of $2.3 million to the attackers in a bid to restore their systems, but the one-two punch of the ransomware outbreak followed by the drastic reduction in global travel wrought by the global COVID-19 outbreak saw the company collapse into administration in August 2020.

NetGain has not responded to press inquiries about the attack.