Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service
Shutterfly Acknowledges Hit by Ransomware AttackConti Ransomware Group Is the Likely Attacker
Internet-based photo-sharing and publishing company Shutterfly says a ransomware attack has disrupted its operations.
"This incident has not impacted our Shutterfly.com, Snapfish, TinyPrints or Spoonflower sites. However, portions of our Lifetouch and BorrowLenses business, Groovebook, manufacturing and some corporate systems have been experiencing interruptions," the company says in a statement.
Shutterfly says it is currently assessing the full scope of data that may have been affected and is engaging with third-party cybersecurity experts. It has informed relevant authorities at law enforcement departments about the incident, it says.
“We do not store credit card, financial account information or the Social Security Numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident. However, understanding the nature of the data that may have been affected is a key priority and that investigation is ongoing. We will continue to provide updates as appropriate,” Shutterfly says.
The Conti ransomware group is reportedly responsible for the attack, which has encrypted over 4,000 devices and 120 VMware ESXi servers, according to a Bleeping Computer report, citing an unidentified source.
The report also says that the group has created a data leak site and dumped on it screenshots of files allegedly stolen during the attack.
Ransom negotiations are underway, and the gang is "demanding millions of dollars," according to the report.
A Shutterfly spokesperson did not immediately respond to Information Security Media Group's request for comments.
Although Conti's data leak site contains Shutterfly data, the teaser data doesn't appear very sensitive for the site's users, according to Jake Williams, a former member of the National Security Agency's elite hacking team.
No significant customer data, such as hashes and passwords, were on the Conti blog either, Williams, now CTO at BreachQuest, tells ISMG.
"I expect the pay/no pay decision in this case will purely be justified on business interruption. I think organizations are generally getting wiser to the low actual impact of double-extortion releases. As the internet is flooded with more internal corporate data, the shock value of new dumps seems to be decreasing," he says.
Conti is one of several Russian-speaking ransomware operations believed to be operating from countries that were formerly part of the Soviet Union. The group has hit targets in the U.S. and Europe, causing widespread disruption.
The ransomware-as-a-service operations provider practice the double-extortion technique, which refers to attackers attempting to extort a victim into paying for a decryptor while promising to delete stolen data.
The U.S. government, which has been tracking an increase in the pace of attacks tied to Conti ransomware, recently issued a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency, warning that Conti has so far successfully hit more than 400 organizations based in the U.S. and abroad (see: Conti Ransomware Attacks Surging, US Government Warns).
To better secure against Conti attacks, the advisory recommends a range of defenses, including "implementing the mitigation measures described in this advisory, which include requiring multifactor authentication, implementing network segmentation and keeping operating systems and software up to date."
In November, Conti reportedly leaked details of world leaders, actors and business tycoons after a strike at London-based high society jeweler Graff (see: Celebrities' Data Dumped on Darknet Site After Hack).