Manufacturing at Shutterfly, the photography industry giant, was one of the areas suffering from a Conti ransomware attack earlier in December that encrypted thousands of devices and stole data.

The company’s photography-related services are aimed at consumer, enterprise, and education customers.

The various brands that fly under the Shutterfly banner include GrooveBook, BorrowLenses,, Snapfish, and Lifetouch. The main website can end up used to upload photos to create photo books, personalized stationary, greeting cards, post cards, and more.

Shutterfly suffered a ransomware attack approximately two weeks ago by the Conti gang, who claims to have encrypted over 4,000 devices and 120 VMware ESXi servers, according to a report from BleepingComputer.

Negotiations with the attackers is in progress and the ransomware gang is demanding millions of dollars as a ransom, according to the report.

Schneider Bold

As a rule of thumb in a double ransomware attacker, before devices end up encrypted, attackers commonly lurk inside for days, if not weeks, stealing corporate data and documents. These documents are then used as leverage to force a victim to pay a ransom under the threat they will be publicly released or sold to other hackers.

Conti has created a private Shutterfly data leak page containing screenshots of files allegedly stolen during the ransomware attack, as part of this ” double-extortion” tactic, according to the BleepingComputer report. The attackers said they will make this page public if a ransom is not paid.

Conti claims to have the source code for Shutterfly’s store, according to the report.

Shutterfly issued a statement Sunday confirming the ransomware attack:

“Shutterfly, LLC recently experienced a ransomware attack on parts of our network. This incident has not impacted our, Snapfish, TinyPrints or Spoonflower sites. However, portions of our Lifetouch and BorrowLenses business, Groovebook, manufacturing and some corporate systems have been experiencing interruptions. We engaged third-party cybersecurity experts, informed law enforcement, and have been working around the clock to address the incident.

“As part of our ongoing investigation, we are also assessing the full scope of any data that may have been affected. We do not store credit card, financial account information or the Social Security numbers of our, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident. However, understanding the nature of the data that may have been affected is a key priority and that investigation is ongoing. We will continue to provide updates as appropriate.”

Shutterfly said no financial information was disclosed.

Conti is a ransomware operation believed to be operated by a Russian hacking group known for Ryuk, TrickBot, and BazarLoader.

This operation runs as a Ransomware-as-a-Service, where the core team develops the ransomware, maintains payment and data leak sites, and negotiates with victims. The group will recruit “affiliates” who breach the corporate network, steal data, and encrypt devices.

As part of this arrangement, ransom payments are split between the core group and the affiliate, with the affiliate usually receiving 70 to 80 percent of the total collected.

Last week, researchers with security firm Advanced Intelligence (AdvIntel) discovered the Conti ransomware group exploiting VMware vCenter Server instances through the Log4j vulnerabilities.

In a report, the security company said it discovered multiple members of Conti discussing ways to take advantage of the Log4j issue, making them the first sophisticated ransomware group spotted trying to weaponize the vulnerability.

One week after the Log4j2 vulnerability became public, AdvIntel in a report said it discovered the most concerning trend – the exploitation of the new CVE by one of the most prolific organized ransomware groups – Conti.

Conti plays a role in today’s threat landscape, primarily due to its scale. Divided on several teams and involving tenths of full-time members, the Russian-speaking Conti made over $150 million in the last six months, according to AdvIntel research into the ransomware logs. And they continue to expand.


Pin It on Pinterest

Share This