Danish cloud hosting companies CloudNordic and AzeroCloud, both subsidiaries of the same parent firm, fell victim to a major ransomware attack on August 18th. This devastating cyberattack resulted in the complete loss of most customers' data and a total shutdown of the entire system infrastructure. The attack not only impacted the hosting providers themselves but also left a trail of destruction among their numerous customers.

The Attack Unveiled

According to a report by BleepingComputer, the attackers executed their plan while CloudNordic and AzeroCloud were in the midst of migrating their systems to another data center. During this crucial period of transition, the attackers managed to infiltrate specific network-linked servers, paving the way for the compromise of critical administrative systems and the entire data storage infrastructure, including backup systems. The attackers' ultimate achievement was the encryption of the server disks, effectively locking away the data and making it impossible to access.

In an attempt to unravel the cause behind the breach, CloudNordic and AzeroCloud posited that some servers might have been compromised earlier, leading to an undetected attack. The situation escalated when these compromised servers were integrated into the internal network used to manage all servers after the data center migration. This access paved the way for the attackers to compromise central administration systems, backup systems, and all associated data storage.

The Recovery Attempts

Despite a reported ransom of six Bitcoins (equivalent to around $156,000), which is not an extremely large ransom for such a crippling attack, the hosting companies refused to yield to the ransom demands, emphasizing their commitment not to meet the financial demands of the attackers. Following relentless efforts of CloudNordic and AzeroCloud's IT teams to recover and overcome the situation, the hackers' actions proved to be overwhelmingly devastating, and the data was not restored. The recovery process hit a dead end, leaving customers and the hosting companies reeling from the impact. The attack resulted in the loss of not only data but also vital systems and servers, severely impacting communication and functionality.

The Customer Fallout

The hosting providers' principled stance against paying the ransom, besides the ultimate inability to restore customer data and the severe impact that created, underscores the challenge of handling ransomware attacks without conceding to cybercriminals. The repercussions of the attack cascaded onto CloudNordic and AzeroCloud's vast customer base. Hundreds of Danish firms were left grappling with the aftermath as they lost all cloud-stored data, including emails, documents, and websites.

In a statement by the two hosting service providers, they recommended that heavily impacted customers move to other providers. Martin Haslund Johansson, director of AzeroCloud and CloudNordic, told Radio4 he doesn't "expect that there will be any customers left with us when this is over."


The ransomware attack on CloudNordic and AzeroCloud serves as a cautionary tale for businesses, highlighting the disastrous consequences that may occur as a result of inadequate cybersecurity measures. This devastating attack has had a profound impact on both the companies and their extensive customer base, resulting in the loss of crucial data and significant disruptions to operations. Cloud hosting providers must keep their security commitment to customers and ensure the protection of their data and systems. As ransomware continues to rise and expand, the importance of vigilance, resilience, and proactive security strategies becomes ever more evident.


ThreatSTOP’s network enforcement solutions make it impossible for your network to communicate with known ransomware download sites or C2 servers. By pulling together hundreds of threat intelligence sources, alongside predictive analysis of future threats, ThreatSTOP provides comprehensive, dynamic, and customizable blocklist policies that will keep your network and data secure. ThreatSTOP constantly monitors new attacks, and adds their domains and IPs to the blocklists within minutes.

Want to see ThreatSTOP in action? Schedule a demo today.

Get a Demo