EXECUTIVE SUMMARY:

“VFEmail ONLY does email, so our job is to ensure the system is always available.” So reads the first line of the company’s About page on its website. But after hackers wiped out the company’s data yesterday, a message on its home page read, “We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@94.155.49.9
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.”

The email provider serves both businesses and end users. On February 11, hackers obliterated the company’s US servers and all the customer data they contained.

In a series of tweets that started yesterday morning, the saga played out like a plane going down. It began with the company tweeting that systems were out, followed hours later by news that a hacker had been caught in the Netherlands formatting a server. Then, reports Brian Krebs of KrebsOnSecurity, this message:

“At this time, the attacker has formatted all the disks on every server,” wrote VFEmail. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.” 

VFEmail owner Rick Romero told Krebs that he worries that 18 years of customer emails are gone forever. One user told Krebs that his inbox had been completely cleaned, wiping out about 60,000 emails that spanned 10 years.

Romero also told Krebs he believes the attacker was operating from Bulgaria. “I haven’t done much digging yet on the actors,” he said. “It looked like the IP was a Bulgarian hosting company. So I’m assuming it was just a virtual machine they were using to launch the attack from. There definitely was something that somebody didn’t want found. Or, I really pissed someone off. That’s always possible.”

The force of the cyberattack has some experts surprised. ZDNet points out that it’s unusual that a hacker goes for the guts and wipes out all the data. Often, server attacks serve as beachheads to run botnets, host malware, or demand a ransom.

As KrebsOnSecurity writes, “…Such actions are an unsettling reminder that although most cybercriminals have some kind of short- or long-term profit motive in mind, an intruder with privileged access to a network can just as well virtually destroy everything within reach as they can plant malware or extortion threats like ransomware.”

Unsettling indeed.

Get the full story at KrebsOnSecurity.