Milwaukee-based email provider VFEmail has suffered what it has described as a “catastrophic” attack which has resulted in the destruction of all data in the U.S. on both primary and backup systems.
The attackers didn’t demand a ransom but simply went on an attack and destroy mission.
Signs of the attack surfaced the morning of Feb. 11 when the company’s Twitter account started fielding reports from users complaining of not receiving messages to which the firm responded that its “external facing systems, of differing OS’s and remote authentication, in multiple data centers are down.” The company later when on to explain the severity of the attack.
“At this time, the attacker has formatted all the disks on every server,” VFEmail tweeted. “Every VM [virtual machine] is lost. Every file server is lost, every backup server is lost. Strangely, not all VMs shared the same authentication, but all were destroyed. This was more than a multi-password via ssh exploit, and there was no ransom. Just attack and destroy.”
The company claims to have caught the perpetrator in the act of formating one of the company's servers in the Netherlands and later in the day VFEmail owner Rick Romero said new email is being delivered and that efforts are being made to recover whatever user data could be salvaged.
Romero said on the company site that he is unsure of the status of existing mail for U.S. users and instructed those with their own email client to not try to make it work or risk losing their local mail.
This is not the first time the company has come under attack. In 2015 the company suffered a debilitating DDoS attack after a ransom wasn’t paid and in 2017 another series of DDoS attacks forced VFEmail to find a new hosting provider.
“The devastating attack on VFEmail is a strong reminder to enterprises that a single keystroke or attack can destroy thousands of workloads and take down a business,” Balaji Parimi, CEO at CloudKnox Security, told SC Media.
“Attacks of this magnitude - where the goal is simply to attack and destroy - are rare, but well within the power of attackers who gain access to infrastructure," he said.
Parimi noted that enterprises need to do a better job of mitigating the threat of over privileged identities which begins with gaining an understanding of which identities have access to the types of privileges that can destroy their business and limiting those privileges to properly-trained, security-conscious personnel.
“This attack left VFEmail, and some of their customers, without access to their information," Fausto Oliveira, principal security architect at Acceptto, told SC Media, which "raises questions of what disaster recovery strategy was in place and why data wasn't backed up into cold storage, thus making it unavailable to attackers."
If the company had a strategy in place, Oliveira said, "they should be able to recover at least a substantial part of their customers data."