March 22, 2023

Photography and personalized photo giant Shutterfly have suffered a ransomware attack that allegedly encrypted thousands of devices and stole corporate data.

The company’s photography-related services are aimed at consumer, enterprise, and education customers through various brands such as GrooveBook, Borrow Lenses,, Snapfish, and Lifetouch. The main website can be used to upload photos to create photo books, personalized stationery, greeting cards, post cards, and many other services.

Shutterfly suffers a Conti ransomware attack

Shutterfly suffered a ransomware attack approximately two weeks ago by the Conti gang, who claims to have encrypted over 4,000 devices and 120 VMware ESXi servers.

Before ransomware gangs encrypt devices on corporate networks, they commonly remain persistence in the network , stealing corporate data and documents. These documents are then used as leverage to force a victim to pay a ransom under the threat that they will be publicly released or sold to other hackers.

Conti has created a private Shutterfly data leak page containing screenshots of files allegedly stolen during the ransomware attack, as part of this ” double-extortion” tactic. The attackers threaten to make this page public if a ransom is not paid. Screenshots include legal agreements, bank and merchant account info, login credentials for corporate services, spreadsheets, and what appears to be customer information, including the last four digits of credit cards.

Shutterfly, LLC recently experienced a ransomware attack on parts of our network. This incident has not impacted our, Snapfish, TinyPrints or Spoonflower sites. However, portions of our Lifetouch and BorrowLenses business, Groovebook, manufacturing and some corporate systems have been experiencing interruptions. We engaged third-party cybersecurity experts, informed law enforcement, and have been working around the clock to address the incident. As part of our ongoing investigation, we are also assessing the full scope of any data that may have been affected. We do not store credit card, financial account information or the Social Security numbers of our, Snapfish, Lifetouch, TinyPrints, BorrowLenses, or Spoonflower customers, and so none of that information was impacted in this incident. However, understanding the nature of the data that may have been affected is a key priority and that investigation is ongoing. We will continue to provide updates as appropriate.

ShutterFly Statement

Conti commonly breaches a network after a corporate device becomes infected with the Bazar Loader or TrickBot malware infections, which provide remote access to the hacking group. After gaining access to an internal system, they spread through the network, harvest data, and deploy the ransomware.

Conti is known for attacks on other high-profile organizations in the past, including Ireland’s Health Service Executive (HSE) and Department of Health (DoH), the City of Tulsa, Broward County Public Schools, and Advantech. Due to the increased activity by the cybercrime gang, the US government recently issued an advisory on Conti ransomware attacks.

Leave a Reply

%d bloggers like this: