[BreachExchange] Shutterfly Acknowledges Hit by Ransomware Attack

[Terrell Byrd]

https://www.healthcareinfosecurity.com/shutterfly-acknowledges-hit-by-ransomware-attack-a-18206

Internet-based photo-sharing and publishing company Shutterfly says a
ransomware attack has disrupted its operations.

"This incident has not impacted our Shutterfly.com, Snapfish, TinyPrints or
Spoonflower sites. However, portions of our Lifetouch and BorrowLenses
business, Groovebook, manufacturing and some corporate systems have been
experiencing interruptions," the company says in a statement.

Shutterfly says it is currently assessing the full scope of data that may
have been affected and is engaging with third-party cybersecurity experts.
It has informed relevant authorities at law enforcement departments about
the incident, it says.

“We do not store credit card, financial account information or the Social
Security Numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints,
BorrowLenses, or Spoonflower customers, and so none of that information was
impacted in this incident. However, understanding the nature of the data
that may have been affected is a key priority and that investigation is
ongoing. We will continue to provide updates as appropriate,” Shutterfly
says.

Attribution
The Conti ransomware group is reportedly responsible for the attack, which
has encrypted over 4,000 devices and 120 VMware ESXi servers, according to
a Bleeping Computer report, citing an unidentified source.

The report also says that the group has created a data leak site and dumped
on it screenshots of files allegedly stolen during the attack.

Ransom negotiations are underway, and the gang is "demanding millions of
dollars," according to the report.

A Shutterfly spokesperson did not immediately respond to Information
Security Media Group's request for comments.

Although Conti's data leak site contains Shutterfly data, the teaser data
doesn't appear very sensitive for the site's users, according to Jake
Williams, a former member of the National Security Agency's elite hacking
team.

No significant customer data, such as hashes and passwords, were on the
Conti blog either, Williams, now CTO at BreachQuest, tells ISMG.

"I expect the pay/no pay decision in this case will purely be justified on
business interruption. I think organizations are generally getting wiser to
the low actual impact of double-extortion releases. As the internet is
flooded with more internal corporate data, the shock value of new dumps
seems to be decreasing," he says.

About Conti
Conti is one of several Russian-speaking ransomware operations believed to
be operating from countries that were formerly part of the Soviet Union.
The group has hit targets in the U.S. and Europe, causing widespread
disruption.

The ransomware-as-a-service operations provider practice the
double-extortion technique, which refers to attackers attempting to extort
a victim into paying for a decryptor while promising to delete stolen data.

The U.S. government, which has been tracking an increase in the pace of
attacks tied to Conti ransomware, recently issued a joint cybersecurity
advisory from the U.S. Cybersecurity and Infrastructure Security Agency,
the FBI and the National Security Agency, warning that Conti has so far
successfully hit more than 400 organizations based in the U.S. and abroad
(see: Conti Ransomware Attacks Surging, US Government Warns).

To better secure against Conti attacks, the advisory recommends a range of
defenses, including "implementing the mitigation measures described in this
advisory, which include requiring multifactor authentication, implementing
network segmentation and keeping operating systems and software up to date."

In November, Conti reportedly leaked details of world leaders, actors and
business tycoons after a strike at London-based high society jeweler Graff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211227/f44915fa/attachment.html>