{ "id": "88425055-d1e5-4ee5-99fc-9da64837161d", "created_at": "2026-04-06T03:36:49.486802Z", "updated_at": "2026-04-10T03:34:54.287491Z", "deleted_at": null, "sha1_hash": "ae1c5029f534c284cbea2309da3008c1ed4fda87", "title": "Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4885484, "plain_text": "Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom\r\nBy Lawrence Abrams\r\nPublished: 2020-09-10 · Archived: 2026-04-06 03:20:43 UTC\r\nData center and colocation giant Equinix has been hit with a Netwalker ransomware attack where threat actors are\r\ndemanding $4.5 million for a decryptor and to prevent the release of stolen data.\r\nEquinix is a massive data center and colocation provider with over 50 locations worldwide.  Customers use these data\r\ncenters to colocate their equipment or to interconnect with other ISPs and network providers.\r\nThe attack on Equinix\r\nEarly this week, a source shared a Netwalker ransom note with BleepingComputer that was allegedly from an attack on\r\nEquinix that occurred over the Labor Day holiday weekend.\r\nhttps://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThis note gives us clues about how Equinix was compromised, when the attack occurred, and what data was stolen.\r\nUnlike most Netwalker ransom notes seen by BleepingComputer, this note has a specific message for the victim that\r\nincluded a link to a screenshot of allegedly stolen data.\r\n\"LOOK AT THIS SCREENSHOT https://prnt.sc/[redacted]\r\nIF YOU NOT CONTACT US WE WILL PUBLISH YOUR DATA TO PUBLIC ACCESS. YOU CAN TAKE A LOOK AT\r\nOUR BLOG [redacted]\r\nYOU HAVE 3 DAYS TO CONTACT US OR WE WILL MAKE POST IN OUR BLOG, CONTACT ALL POSSIBLE\r\nNEWS SITES AND TELL THEM ABOUT DATA BREACH \"\r\nEquinix ransom note\r\nThe screenshot, which we redacted below, contain numerous folders whose names indicate they include financial\r\ninformation, payroll, accounting, audits, and data center reports.\r\nhttps://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nPage 3 of 6\n\nScreenshot of alleged stolen data\r\nFolder names in the screenshot reference data centers and engineers who work in Australia, indicating that their Australian\r\noffices were likely compromised.\r\nThe latest timestamp on the folders is 9/7/20, which corroborates the claims that the attack occurred over the weekend.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731.\r\nThe ransom note includes a link to the Netwalker Tor payment site that shows a $4.5 million, or 455 bitcoin, ransom\r\ndemand. If the payment was not paid after a certain amount of time, the ransom would double to $9 million.\r\nRansom demand\r\nAfter reaching out to Equinix about this attack yesterday, the company went public with a statement that they shared with\r\nBleepingComputer late last night.\r\n\"Equinix is currently investigating a security incident we detected that involves ransomware on some of our internal\r\nsystems. Our teams took immediate and decisive action to address the incident, notified law enforcement and are continuing\r\nto investigate. Our data centers and our service offerings, including managed services, remain fully operational, and the\r\nincident has not affected our ability to support our customers. Note that as most customers operate their own equipment\r\nwithin Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix.\r\nThe security of the data in our systems is always a top priority and we intend to take all necessary actions, as appropriate,\r\nbased on the results of our investigation.\"\r\nEquinix has numerous RDP servers exposed\r\nExposed remote desktop servers are the most common method used by hackers to compromise a network.\r\nAfter learning of this attack on Equinix earlier this week, BleepingComputer spoke to Advanced Intel's Vitali Kremez about\r\nthis attack,\r\nAccording to Advanced Intel's Andariel intelligence platform, there are 74 known Equinix remote desktop servers and their\r\nlogin credentials being sold in hacker marketplaces and private sales.\r\nhttps://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nPage 4 of 6\n\nExposed RDP servers\r\nOf the 74 remote desktop servers, most are concentrated in Australia, Turkey, and Brazil.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nhttps://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/" ], "report_names": [ "equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446609, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae1c5029f534c284cbea2309da3008c1ed4fda87.pdf", "text": "https://archive.orkl.eu/ae1c5029f534c284cbea2309da3008c1ed4fda87.txt", "img": "https://archive.orkl.eu/ae1c5029f534c284cbea2309da3008c1ed4fda87.jpg" } }