Mailing list provider WordFly scrambles to recover after ransomware attack

Mailing list provider WordFly has been offline for more than two weeks after ransomware encrypted data on some of its systems.

WordFly provides digital marketing to arts, culture, entertainment and sports organizations, offering email and SMS marketing, forms and surveys, among other options.

The ransomware attack crippled WordFly’s internal systems on July 10, and the company has been unable to restore them since.

“At this time, we are working diligently with our digital forensics experts to help us restore the WordFly system. We cannot provide a specific timeline of when we expect operations to be fully restored,” WordFly noted in a Incident FAQs.

The attack disrupted all company services except those running on external resources, WordFly director Kirk Bentley said. Backup servers were also affected by the attack.

Bentley also revealed that attackers were able to access and exfiltrate data from company servers. The data theft was discovered on July 14, and the threat actor allegedly deleted the stolen data the following day.

“We understand that from the evening of July 15, 2022, this data was deleted from the possession of the bad actor. We have no evidence to suggest, prior to the bad actor deleting the data, that the data was leaked to the dark web and/or sent to any other public domain/distributed elsewhere,” WordFly said.

The exfiltrated data likely included names and email addresses, as well as data that users imported into WordFly, that was collected in a form on WordFly, or that was transferred from TMS (the predecessor of WordFly). The attackers did not exfiltrate credit card information or login credentials, the company says.

Bentley, which called the stolen data “generally non-sensitive and public in nature,” also said the company had no evidence that the information “has been or will be misused to undermine the rights and freedoms of our customers or their subscribers.

WordFly also explained that, for all organizations, it retains data since they became customers, and for the purpose for which it was collected. “The exception being some larger, long-term customers who have worked with us over the years to archive historical data. For most customers, we don’t routinely archive or delete anything,” said the society.

The mailing list provider delivered daily status updates, with the most recent suggesting that restoring WordFly services could take at least several days. The company says it is still investigating the root cause of the attack.

In the meantime, the company’s customers have started notifying their users of the incident, including the London-based company courtauld, Smithsonian National Zoo, Sydney Dance Companyand the Toronto Symphony Orchestra.

Other WordFly customers likely to be affected include Cheltenham Festivals, the Royal Shakespeare Company, the Royal Opera House, the Southbank Center and The Old Vic.

Related: Black Basta Ransomware Becomes a Major Threat in Two Months

Related: It Doesn’t Pay to Pay: Study Finds 80% of Ransomware Victims Reattacked

Related: Cyberattack causes disruption at car rental giant Sixt

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words: