Shutterfly, a leading photo and personalized photo company, has announced that it has been attacked by the Conti ransomware, which encrypts thousands of devices and steals corporate data.
Shutterfly’s photo-related services target consumer, business and educational customers through a variety of brands including GrooveBook, BorrowLenses, Shutterfly.com, Snapfish and Lifetouch.
On the main site, you can upload your photos to create photo books, original stationery, greeting cards, postcards and more.
Shutterfly Attacked by Conti Ransomware
Shutterfly says it was hit by a ransomware attack by Conti about two weeks ago, which encrypted more than 4,000 devices and 120 VMware ESXi servers
This attack is still ongoing and we are told that the ransomware group is demanding millions of dollars in ransom.
Ransomware groups typically hide inside and steal corporate data and documents for weeks or days before encrypting devices on corporate networks.
These classified documents are used as a means to force victims to pay a ransom under threat of being released or sold to other hackers.
Conti has created a private Shutterfly data leak page with screenshots of the files allegedly stolen in the attack as part of this “double blackmail” tactic. The attackers have threatened to publish this page if the ransom is not paid.
These screenshots contain what appears to be customer information, including legal contracts, bank and merchant account information, login information to corporate services, spreadsheets, and the last four digits of credit cards.
Conti also claims to have the source code for the Shutterfly store, but it is not clear if the ransomware group means Shutterfly.com or a different website.
Shutterfly has announced that it has been hit by a ransomware attack and that its Shutterfly.com, Snapfish, TinyPrints and Spoonflower sites are unaffected by the attack. However, the company’s corporate network, Lifetouch, BorrowLeneses and Groovebook experienced service disruptions.
Shutterfly, LLC has suffered a ransomware attack on a portion of our network. Shutterfly.com, Snapfish, TinyPrints, and Spoonflower sites are not affected by this incident. However, our Lifetouch and BorrowLenses businesses, Groovebook, manufacturing, and some of our enterprise systems have been compromised. We have engaged third-party cybersecurity experts, reported to law enforcement, and are working around the clock to address this incident.
As part of our ongoing investigation, we have a complete picture of all data that may have been affected. We do not store credit card information, financial account information, or social security numbers for Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, so this incident does not affect this information. We do not store credit card information, financial account information, or social security numbers of BorrowLenses and Spoonflower customers. However, understanding the nature of the data that may have been affected is an important priority, and that investigation is ongoing. We will keep you updated as appropriate
Shutterfly says no financial information was disclosed, but we’re told that one of the screenshots contains the last four digits of a credit card, so it’s unclear whether any additional, more sensitive information was stolen in this attack.
“Conti” ransomware
Conti is a ransomware group believed to be run by a Russian hacking group known for infecting well-known malware such as Ryuk, TrickBot, and BazarLoader.
The operation operates as Ransomware-as-a-Service, with a core team developing the ransomware, managing payment and data breach sites, and negotiating with victims. It then recruits “affiliates” who break into corporate networks, steal data, and encrypt devices.
The ransom payment is split between the core group and the affiliate, with the affiliate usually receiving 70-80% of the total amount.
Conti infects corporate devices with malware such as BazarLoader and TrickBot before infiltrating the network and providing remote access to hacking groups.
This malware gives hacking groups remote access to internal systems, where they can spread across the network, harvest data, and deploy ransomware.
Conti has been known in the past for its attacks on high-profile organizations such as the Health Service Executive (HSE) and Department of Health (DoH) in Ireland, the City of Tulsa, Broward County Public Schools, and Advantech. It is also known for its attacks on high-profile organizations such as the Irish Health Service Executive (HSE), the Department of Health (DoH), the City of Tulsa, Broward County Public Schools and Advantech.
As a result of the increased activity of this cybercriminal organization, the U.S. government recently issued an advisory on the Conti ransomware attack.
Recommended countermeasures from CISA
- Use multi-factor authentication
- Segment the network and filter traffic
- Scan for vulnerabilities and update software
- Remove unnecessary applications and apply controls
- Deploy endpoint and detection response tools
- Restrict access to resources on the network. In particular, restrict RDP
- Protect user accounts
In the event of a ransomware outbreak at your organization, CISA, FBI, and NSA recommend the following actions.
- Scan backups. If possible, scan the backup data with an antivirus program to ensure that it is free of malware.
- Report the incident immediately to CISA (https://us-cert.cisa.gov/report), the local FBI branch, or the US Secret Service branch.
- CISA and cybersecurity authorities in Australia, Canada, New Zealand, and the United Kingdom have jointly developed an advisory, “Technical Approaches to Uncovering and Remediating Malicious Activity.
- Apply best practices for incident response as described in “Technical Approaches to Uncovering and Remediating Malicious Activity.
- CISA, FBI, and NSA strongly discourage paying ransom to criminals. Paying the ransom may encourage adversaries to target additional organizations, encourage other criminals to become involved in distributing ransomware, or fund illicit activities. Also, paying the ransom does not guarantee that the victim’s files will be recovered.
Comments