Ransomware attack on LightSpeed’s Hosting

LightSpeed experienced a ransomware attack, encrypting systems and disrupting services. Rapid response restored services the same day, with increased security measures now in place to prevent future incidents.

LightSpeed was the victim of a cyber attack that encrypted some of our systems early morning on 13 October 2020. As a result, many of our online services were interrupted. We restored our services by 16h30 on the same day. Here is a full explanation of the events as they took place on the day:

Timeline

2020-10-13 07:30

  • Strange login activity detected on Administration interface for Primary Load Balancer.

2020-10-13 07:35

  • Primary Load Balancer reported as down, traffic automatically rerouted to failover.

2020-10-13 07:40

  • System Administrator is unable to access Primary Load Balancer server.
  • Requests service provider to connect a remote console.

2020-10-13 07:45

  • Strange login activity detected on Administration interface for Failover Load Balancer.

2020-10-13 07:50

  • Failover Load Balancer reported as down, traffic automatically rerouted to Secondary Failover Load Balancer.

2020-10-13 07:55

  • Remote Console connected to Primary Load Balancer. Systems Administrator finds system has been encrypted with notice demanding payment of 12 BTC for the decryption key.

2020-10-13 08:00

  • Systems Administrator informs LightSpeed team that the hosting environment has been compromised by a Ransomware attack and should start preparing that we will be shutting down majority of the infrastructure to mitigate any further risk.

2020-10-13 08:05

  • Infrastructure shutdown starts.

2020-10-13 08:32

  • Infrastructure shutdown complete.

2020-10-13 08:32

  • Infrastructure recovery starts.
  • All infrastructure administration credentials reset, API tokens regenerated.
  • Primary Load Balancer, Failover Load Balancer and Secondary Failover Load Balancer formatted and restored from backup.
  • Back-end Servers booted and audited for malicious code.
  • Back-end administration interfaces audited.

2020-10-13 15:58

  • Hosting infrastructure returns to service.

2020-10-13 16:00

  • Hosted website auditing commenced.
  • LightSpeed support team informs clients sites are back online.

Next steps

Moving forward, to mitigate any recurring exploitation of our administration interfaces, we have restricted access by geolocation for our team members and reduced the session time to expire after 15 minutes, thereafter requiring re-authentication.

We are implementing further security measures by requiring a one time pin for access and ensuring all locally used devices by our team members are protected with adequate security software and meet an adequate level of security compliance.

We are still auditing each individual hosting webspace, so far we are confident that no customer data was accessed, lost or stolen. Thank you to all customers that have reset their WordPress Administrator(s) passwords and reached out to set up multi-factor authentication. We encourage those of you who have not done this yet to please get in touch with us if you need our help.

We are also offering blocking access to WordPress administration panels by Geolocation. For those of you who are interested in adding this additional level of security – please submit a support request.

Thank you once again for your patience and support last week – we appreciate it.

Best wishes
The LightSpeed Team