Conti ransomware hits 120 VMware ESXi servers on Shutterfly networks

Photography-focused platform Shutterfly confirmed that it has suffered a Conti ransomware attack that would have encrypted thousands of devices and exposed sensitive information. Shutterfly is one of the world’s leading photo and photo-sharing services firms, working through brands such as GrooveBook, BorrowLenses,, Snapfish and Lifetouch.

Conti is a Ransomware as a Service (RaaS) operation in which a core team develops ransomware, maintains payment sites and data breaches, while its affiliates handle the deployment of attacks and the theft of sensitive information.

The first reports about this incident appeared on Friday afternoon, when an alleged internal actor revealed that the firm suffered the massive attack a couple of weeks ago, compromising some 4,000 devices and more than 100 VMware ESXi servers. Although more details about the attack are unknown, the informant assures that the hackers are demanding a millionaire ransom in exchange for restoring the affected systems.

Typically, ransomware groups do not initiate an infection immediately after entering the target system, but spend at least a couple of weeks collecting sensitive information on the affected networks. The stolen data is often used as a way to force victims to pay the ransom, as hackers threaten to reveal the compromised information if their financial demands are not met.

This appears to be the case with Shutterfly, as Conti has created a private data breach page containing screenshots of files allegedly stolen during the attack, in what specialists know as the “double extortion” tactic. In addition, the hackers claim to have the source code of the Shutterfly store, but it is unclear whether the ransomware band refers to or another website run by the company.

After a couple of days of uncertainty, the company confirmed the attack: “Shutterfly recently experienced a ransomware attack in some areas of the network. This incident has not affected sites such, Snapfish, TinyPrints or Spoonflower. However, parts of the Lifetouch and BorrowLenses, Groovebook businesses have experienced disruptions.”

It is still unknown whether the affected company is willing to negotiate with threat actors or whether they will restore the affected systems on their own.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.