Malware, Ransomware

Mortgage loan servicing company discloses ransomware attack to multiple states


Mortgage loan servicing company SN Servicing Corporation notified at least two states in recent weeks of a ransomware attack on its systems.

Filings submitted to the California and Vermont state attorneys general disclosed that the company was hit by ransomware attacks on or around Oct. 15, 2020. According to the documents, upon learning of the incident, SN “immediately locked down affected systems and engaged a third party team of forensic experts to determine the impact on our borrowers.”

A preliminary investigation identified data related to billing statements and fee notices to customers from 2018, including names, address, loan numbers, balance information and billing information such as charges assessed, owed or paid.

SN Servicing is the California-based servicing arm of Security National Master Holding Company, which claims on its website to have a servicing portfolio of over 26,000 residential, commercial, consumer and unsecured loans sourced from various financial institutions, with a substantial portion in under-performing and non-performing residential mortgage loans. The company claims to specialize in "re-performing seriously delinquent loans," including HUD/FHA, USDA and VA loans for investors.

The notices about the ransomware attack do not provide details as to how the breach occurred, but offer free one-year credit monitoring services and advises customers to “remain vigilant over [the] next twelve to twenty-four months, review your account statements and immediately report any suspicious activity."

The company also said it is “bolstering its cybersecurity posture” through a number of upgrades, including replacement of its email filtering tools, malware software and internet monitoring tools with “more robust solutions that utilize artificial intelligence to detect and block known and newly introduced malware.” Also noted were plans to block all outbound and inbound internet, email and network traffic to foreign countries, and upgrading infrastructure to improve backup and recovery services.

Requests for comment submitted to SN Servicing's California office through phone and email have not been returned at press time.

While neither of the disclosures mention which ransomware variant or group was behind the attack, SN Servicing appears on the Egregor ransomware leak site in their “Hall of Shame” section reserved for companies that have refused to pay the ransom. Thus far, the group does not appear to have released any of the company's data, but their page is tagged with a “Coming Soon” label.

Egregor is relatively new on the scene but has quickly established itself as a top threat to industry worldwide and a leading purveyor of ransomware-as-a-service. In a January industry alert, the FBI said the group’s malware was first detected in September 2020, that it claims to have compromised over 150 organizations, and that it utilizes a wide variety of tactics, techniques and procedures that can create “significant challenges for defense and mitigation.”

According to a review of Q4 2020 ransomware activity from Digital Shadows, Egregor malware was the most frequently seen malware, accounting for 17% of total ransomware-related security alerts and hitting other high-profile victims like Barnes & Noble, Ubisoft and Crytek. Jamie Hart, a cyber threat intelligence analyst with Digital Shadows, told SC Media that the emergence and rapid rise of Egregor right around the same time that another top group, Maze, announced it was shutting down, was one of the biggest developments in ransomware last year.

Hart and other analysts have speculated that some Maze operators may have simply shifted to using the Egregor variant, noting the unusual, immediate sophistication demonstrated by Egregor operators as well as similarities in victimology, language used on their respective leak sites and the use of double extortion techniques. However, she said this connection and how deep it may be has yet to be confirmed.

“Maze started this pay or get breached trend…at the end of 2019, so to see such a trendsetter like that just out of the blue be like ‘Nope, we’re doing it anymore’ was pretty unexpected,” Hart said. “And I think the biggest part on the back half of that is to see a ransomware variant like Egregor enter the scene right around that same time and just take off and be just as big as Maze was now.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.