Photo and personalized photography giant Shutterfly suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole company data.
Although many associate Shutterfly with their website, the company’s photography-related services are targeted to consumers, businesses, and educational institutions through various brands such as GrooveBook, BorrowLenses. Shutterfly.com, Snapfish and Lifetouch.
The main website can be used to upload photos to create photo books, personalized stationery, greeting cards, postcards, and more.
Shutterfly suffers a Conti ransomware attack
On Friday, a source told BleepingComputer that Shutterfly suffered a ransomware attack by the Conti gang about two weeks ago, which claims to have encrypted over 4,000 devices and 120 VMware ESXi servers.
Although BleepingComputer didn’t see the negotiations for the attack, we are told they are
On the way In Progress and that the ransomware gang is demanding millions of dollars in ransom.
Before ransomware gangs encrypt devices on corporate networks, they usually lurk inside for days, if not weeks, stealing corporate data and documents. These documents are then used as leverage to force a victim to pay a ransom under threats that they will be published publicly or sold to other hackers.
As part of this “double blackmail” process, Conti created a private Shutterfly data leak that contains screenshots of files that were allegedly stolen during the ransomware attack. The attackers threaten to make this page public if no ransom is paid.
BleepingComputer has been advised that these screenshots contain legal agreements, banking and merchant account information, corporate service credentials, spreadsheets, and what appears to be customer information, including the last four digits of credit cards.
Conti also claims to have the source code for Shutterfly’s Store, but it’s unclear whether the ransomware gang is referring to Shutterfly.com or another website.
After contacting Shutterfly on Friday about the attack, BleepingCompuer received a statement late Sunday night confirming the ransomware attack.
This statement, shown in its entirety below, states that the Shutterfly.com, Snapfish, TinyPrints, or Spoonflower sites were not affected by the attack. However, their company network had interrupted Lifetouch, BorrowLeneses and Groovebook services.
“Shutterfly, LLC recently experienced a ransomware attack on parts of our network. This incident did not affect our Shutterfly.com, Snapfish, TinyPrints, or Spoonflower sites. Portions of our Lifetouch and BorrowLenses business, Groovebook, however, manufacturing and some enterprise systems have “We hired outside cybersecurity experts, notified law enforcement, and worked around the clock to resolve the incident.”
âAs part of our ongoing investigation, we are also checking the full extent of any data that may be affected. We do not store credit card, financial account information, or the social security numbers of our Shutterfly.com, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, so none of this information was affected by this incident. However, understanding the nature of the data that may be affected is the top priority, and this investigation is ongoing. We will continue to provide updates to this effect. . “- Shutterfly.
While Shutterfly claims no financial information was disclosed, BleepingComputer was told that one of the screenshots contains the last four digits of credit cards, leaving it unclear whether any other and more worrying information was stolen during the attack.
When BleepingComputer contacted Shutterfly about the screenshot, they referred us to the original statement.
The Conti ransomware gang
Conti is a ransomware operation believed to be operated by a Russian hacker group known for other notorious malware infections like Ryuk, TrickBot and BazarLoader.
This process runs as ransomware-as-a-service, in which the core team develops the ransomware, maintains payment and data leak sites, and negotiates with the victims. They then recruit “partners” who break the corporate network, steal data and encrypt devices.
Under this agreement, the ransom payments are split between the core group and the partner, with the partner usually receiving 70-80% of the total.
Conti often breaks a network after a company device is infected with the malware infections BazarLoader or TrickBot, which allow remote access to the group of hackers.
As soon as they gain access to an internal system, they spread over the network, collect data and deploy the ransomware.
Conti has a history of attacks against other high profile organizations including Ireland’s Health Service Executive (HSE) and Department of Health (DoH), the City of Tulsa, Broward County Public Schools and Advantech.
Due to the increased activity of the cybercrime gang, the US government recently issued a warning regarding Conti ransomware attacks.
Update 12/27/21: Updated with answer about financial information in stolen data.