Ransomware requires a few preconditions in order to do real damage.
Mostly those all boil down to:
1. Shit-to-no backup solution in place.
2. Poor segmentation from a network/identity/privilege perspective.
Datacenters usually have this kind of stuff down pretty well or they don't stay in business very long.
Additionally, traditional ransomware attacks start as client-side attacks[phishing/fake search engine results promising app updates/etc]. This kind of attack works way better against Mary Sue in accounting or Chuck in sales but the scenario of Datacenter admins checking their Gmail on admin workstations or servers is hopefully insanely rare or never.
It's not just "windows", it's the kind of people who are on the other end of it. If your attack relies on someone downloading "funny toolbar" and saying "yes" to the wrong thing, then at least some of the world wide droves of Karens will let it in.
Thank you for researching that. That should be the top answer. I looked at the links above: the first two are definitely data centers[1][2] and they were definitely hit by ransomware. All the other replies on this page are assuming that data centers don't get hit and try to offer rational reasons why not. But I see no a priori reason to think that data centers aren't just as incompetent as any other kind of company.
[1] CyrusOne provides mission-critical data center facilities. (from the About page)
[2] Equinix is the world's digital infrastructure company. Founded in Silicon Valley in 1998 as a vendor-neutral multitenant data center. (from the About page)
To use an analogy, because it's like hearing about buildings being infected by viruses instead of the people living in them.
Datacenters hold machines which can belong to many different companies, and there can be intranets between them, but otherwise they are equivalent to being connected to the Internet.
In a way, your analogy does make sense. But, I would also consider the question "Why haven't we heard of Data Centre Providers being affected by Ransomware" a valid one. And that was my first thought when I saw the question. I am hoping that is what the original question was about.
I like you analogy, but the way I see it is rephrasing it as:
Q: Why don't we hear about fire stations burning to the ground?
A: They do, but the people running them are for the most part, experts in putting down and avoiding fires
Routers/UPS/nodes/fire-suppress/IR-sensors etc all have Software, Firmware and a ~network, ransomware would be a nonsense attack, but a worm/virus/malware could be in the realm of reality to partially shutdown or even damage a data-center.
Funny, I just went on a tour of the Markley data center in Boston. My guess is that it's because they take security very seriously, the attack surface for compromising the data center infrastructure itself (vs the corporate servers in it) is smaller, and they're running more exotic servers (ie not just a bunch of windows domain controllers.)
Most of these large ransomware attacks are probably a result of under resourced IT departments. A data center is basically a giant IT department. Wager that has something to do with the relative scarcity -- better security.
It does happen though. Equinix was hit last year in a limited fashion.
Individual machines within the datacenter may be getting hit. But those machines are (should be) isolated from each other (or from other orgs).
So imagine company A has a cabinet full of machines. The fact that company B has a cabinet full of machines in the same building doesn't make it more likely that it gets infected.
I believe the reason number one is because they don't run on Windows and most recent ransomware attacks are targeting windows. (Eternal blue, zero-day, or infecting the update system)
Very good point. Am I right in thinking that most data centers use a flavor of unix or linux? I don't think I've heard of a linux or unix Ransomware attack. This and the low attack surface of a data center is probably the answer. Attacking a data center is probably so much harder that it's not worth the effort if there are easier targets.
Here's an interesting article on the subject of Ransomware on linux.
tl;dr
Linux ransomware is on the rise, but ransomware risk is still significantly lower for Linux users than for their Windows- and MacOS-using counterparts.
I'm not saying there is no apps written in .NET. I'm myself an ex .NET developer who worked for large companies and govt in .NET.
I'm talking about datacenters infrastructure (routers, watchdogs, monitoring, deployment processes, ...), Usually none of that part is based on windows
The entire point of a datacenter is tenant isolation and security. Plus the fact there are few user workstations and physical access is extremely restricted.
A data centers business model is to protect customers from things like physical phishing attacks, like someone showing up from the “fire department” demanding access.
It would then go to follow that the staff are highly cognizant of things like phishing attacks, which is one of the ways ransomware propagates.
The data center doesn’t just have to worry about ransomware just because they can get locked out of their business software, worse yet an attacker could simply approve themselves for physical access and gain access to all the tenants machines by proxy, so there is a lot motivating the data center to proactively mitigate this stuff.
A counterpoint to the "they run Windows" sentiment here: I accidentally left Xvnc open with no password while doing "a quick thing" on my VPS.
Presumably an automated scan eventually found it (after a few weeks or so).
IIUC, someone manually logged in to start a crypto miner on it.
Moral of story: "a quick thing" needs to mean "15 minutes or less", or a scenario where I'm constantly connected.
(And as an aside, the hunt continues for a decent VNC app for Android that combines the usability of RealVNC with compatibility with host-based TLS auth... I _would_ like to permanently stop worrying about passwords...)
The answers giver are good, however they also forgot the simple fact that it is simply more valuable (for most servers) to re-purpose compromised servers to be C2C or spam if it's an SMTP server than locking them up and doing (essentially) nothing with the data. The fact that datacenter PCs are essentially "cattle" PCs means that encryption is redundant - you can still get the data that you want and threaten companies the same.
- We in fact heard it a lot. "X is down" "X is Affected" ("when a person is victim of extortion is called extortion, but if a nation, is called terrorism? global politics?")
- The owners of the data centers have a lot of money, but also are more ruthless to deal with "treats" from street-level criminals "give us money or...or.. or.. elseeee!" "ELSE". Also, can hit back harder (?) ("steal from granny is easy but from a tank crew not so much?")
- Also, the money mean pay peanuts now is easy to keep things quiet, and solve it internally is not that big of a deal (this one I know - once, by somebody that I don't think was lying!- from banks: The guys are targeted and breached more than people know but who cares? too much money and they can call a BOSS in the military/police to deal later with it)
What would need to be available to let you attack a data centre and why would you attack a data centre in particular?
If you can get root on any internet connected machine for instance you wouldn't attack a data center.
I'm not sure what the 'thing' in a data centre would be that you would hack that's unique? Would it be switching equipment? But then what, a OS zero day, why not hit computers with the zero day not behind switching equipment.
(Obviously they get "hit" all the time, most the data being ransomed probably sits encrypted in a data center, along with REvils house possibly also a data center, currently their onion site being down means their data center maybe has been hacked by a 3LA)
Cloud hosting providers have a far more vigilant security staff watching things. It will happen eventually, but it's far less likely to happen on any random day.
Here's my bigger-picture explanation of why, expressed as a set of consecutive counterpoints:
1. I initially found it curious that https://news.ycombinator.com/item?id=13718752 ("Cloudflare proxies are dumping uninitialized memory") never seemed to made the mainstream news, while Heartbleed did. There are some awkward conspiracy arguments there, but I eventually realized that there's also the fact that people can just make mistakes at the end of the day, and while Heartbleed was very arguably in the public interest because individuals everywhere needed to take action to keep their systems (arguably) secure, making a website and silly name to highlight the security implications of a single company's mistake just... has the wrong tone, and it doesn't seem too much of a stretch to see major news coverage as somewhat similarly interfering and unhelpful.
2. There was discussion here ~some years ago about a random analytics test portal someone found that, when logged into (with "demo"/"password" or something similar) from a cellular device's IP, doxxed the name/address/last-4 of SSN (or possibly the whole thing, unsure)/etc of the account owner if that device was signed up to a particular US telco. Made quite a splash here; never hit the news. Not only was this not a mistake, it was definitely in the public interest: the company in question was clearly buying a realtime feed of $telco's entire IP address table, an item that should simply not have been for sale, and lack of security on the purchaser's part meant an unbounded number of individual customers were potentially affected (imagine visiting random websites and having them go "hello $yourname $lastname" and getting it right because they've just crammed an XHR to admin:password@portal.demo/api/whatever in their page, which IIRC had `access-control-allow-origin: *` and everything).
3. I've always found it a cute addition to the marketing video Google put out about their datacenter facilities - https://youtu.be/XZmGGAbHqa0?t=138 prominently features an "Alligators present" sign... but it's probably at least vaguely representative of the reality. These places have to deal with all kinds of insanity.
4. There was a story on here a little while back about the Cellebrite analyser (https://news.ycombinator.com/item?id=25522220). Reading the comments, I had a bit of a epiphany about one possible reason why Facebook, Whatsapp, Google, etc, actively want to use end-to-end encryption, which I wrote up at https://news.ycombinator.com/item?id=25522220: owning potentially hundreds of trillions of messages represents an untenable liability. I've read comments here that suggest most security products are good up to $1 million dollars, and a lot of security infrastructure (as installed on arbitrary servers, workstations, laptops, phones, etc) would begin seriously wobbling at even a fifth of that kind of money. (Apple ranked secure ROM extraction at $250k according to http://ramtin-amin.fr/#nvmedma (possibly published circa ~2015).) The thing is, if you have everyone's* messages - for an expansive, inclusive definition of "everyone" - then the value proposition you represent is comprised by every high-level individual who has sent messages using your platform, PLUS the fact that you have the cohesive bigger picture from group conversations between multiple high-level parties. In this light, spending a billion dollars or more to hack into a datacenter doesn't seem too far fetched; as I noted in the linked writeup, you'd be able to start world wars 4 through 16.
5. I randomly heard anecdata that suggest datacenters periodically experience various interesting hardware faults. The response to my expression of curiosity (https://news.ycombinator.com/item?id=26407909) was extremely reasonable: go out for drinks with the old-timers.
Mostly those all boil down to:
1. Shit-to-no backup solution in place. 2. Poor segmentation from a network/identity/privilege perspective.
Datacenters usually have this kind of stuff down pretty well or they don't stay in business very long.
Additionally, traditional ransomware attacks start as client-side attacks[phishing/fake search engine results promising app updates/etc]. This kind of attack works way better against Mary Sue in accounting or Chuck in sales but the scenario of Datacenter admins checking their Gmail on admin workstations or servers is hopefully insanely rare or never.