EXECUTIVE SUMMARY:
The photography company Shutterfly is among the latest to have been hit with a ransomware attack. The company acknowledged the event over the weekend. Hackers have claimed theft of the source code for Shutterfly’s store. However, experts are unclear as to whether the ransomware gang is referring to Shutterfly.com or another site. The investigation remains ongoing.
What happened
According to Shutterfly, the breach affected multiple network components, although the incident has not impacted the Shutterfly.com, Snapfish, TinyPrints or Spponflower sites. Portions of the company’s Lifetouch and BorrowLenses business, Groovebook, and manufacturing and some corporate systems have experienced interruptions.
A source within the company observed that the Conti ransomware gang may have perpetrated the attack. Stolen Shutterfly information appeared on the Conti site. One source that observed the leaked data suggests that the attack commenced roughly two weeks ago. The company is working around the clock to address the incident.
Why it matters
The breach prompted Shutterfly to contact law enforcement and to hire an outside security team to help address the incident. The ransomware affected more than 4,000 devices and 120 VMware ESXi servers. Operators responsible for the attack are demanding millions and have threatened to post stolen files online if Shutterfly withholds payment. Negotiations are listed as in-progress.
In exchange for payment, the ransomware operators promise to provide the decryption key for locked devices, and stated that they would not publish “all” of the stolen data. Photos from the Conti ransomware group indicate that they illicitly obtained legal agreements, bank and merchant account information, login credentials for corporate services, spreadsheets and what may or may not be customer information.
Shutterfly security
In 2019, Shutterfly reportedly retained about 10 million customers who placed more than 26 million worth of orders every year. Since then, due to a series of acquisitions, the company’s ‘installed base’ has expanded by another 10 million customers. This is not the first breach experienced by Shutterfly in the past five years.
Could the breach affect you?
As part of the investigation, Shutterfly aims to assess the full scope of any data potentially affected. At present, customers’ financial account information and social security numbers are not believed to have been compromised in the breach. Shutterfly does not store credit card, financial account information or the social security numbers of Shutterfly.com, Snapfish, Lifetough, TinyPrints, BorrowLenses, or Spoonflower clients. This security incident did not result in the compromise of any associated information.
Understanding the nature of the data that may have been affected is a key priority for Shutterfly. The investigation is ongoing. The company intends to provide further updates as appropriate.
Summary
The Conti ransomware group leverages the Ransomware-as-a-Service model, where a core team of hackers develops the ransomwares, but then recruits “affiliates” to do the heavy lifting; the breaching of corporate networks, the data theft, and the device encryption. Within this arrangement, affiliates commonly receive 70-80% of the total ransomware payment. The ransomware operators take in the remainder.
The Conti ransomware group has previously attacked high-profile organizations that range from health service providers, to tech firms. If you’re concerned about experiencing a similar kind of incident, check out the best Firewall options.
Also, be sure to check out the CISO’s Guide to Ransomware Prevention.
Lastly, to learn more about managing cyber risk in a changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.
