Mailing List Provider WordFly Scrambling to Recover Following Ransomware Attack

Mailing list provider WordFly has been offline for more than two weeks after ransomware encrypted data on some of its systems.

WordFly provides digital marketing for arts, culture, entertainment, and sports organizations, offering email and SMS marketing, forms, and surveys, among other options.

The ransomware attack crippled WordFly’s internal systems on July 10, and the company hasn’t been able to restore them since.

“At the present time, we are diligently working with our digital forensics experts to assist us with restoring the WordFly system. We cannot provide a firm timeline of when we expect operations to be fully restored,” WordFly noted in an incident FAQ.

The attack has disrupted all of the company’s services, except for those running on external resources, WordFly director Kirk Bentley said. Backup servers were also impacted in the attack.

Bentley also disclosed that the attackers were able to access and exfiltrate data from the company’s servers. The data theft was discovered on July 14, and the threat actor allegedly deleted the stolen data the next day.

“It is our understanding that as of the evening of July 15, 2022, that data has been deleted from the bad actor’s possession. We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked over the dark web and/or sent to any other public facing domain/disseminated elsewhere,” WordFly said.

The exfiltrated data likely included names and email addresses, along with data that users imported into WordFly, which was collected in a form on WordFly, or which was transferred from TMS (the predecessor of WordFly). The attackers did not exfiltrate credit card information or login details, the company says.

Bentley, who referred to the stolen data as having a “generally non-sensitive and public nature”, also said that the company had no evidence that the information “has been, or will be, misused to perpetrate harm to the rights and liberties of our customers or their subscribers”.

WordFly also explained that, for all organizations, it keeps data since they became customers, and for the purpose it has been collected for. “The exception being some larger and long-term customers who have worked with us over the years to archive historic data. For most customers, we don’t routinely archive or delete anything,” the company said.

The mailing list provider has been delivering daily status updates, with the most recent ones suggesting that it might take at least several more days for WordFly services to be restored. The company says it is still investigating the root cause of the attack.

In the meantime, the company’s customers have started to inform their users of the incident, including London-based Courtauld, Smithsonian’s National Zoo, Sydney Dance Company, and the Toronto Symphony Orchestra.

Other WordFly customers likely impacted include Cheltenham Festivals, Royal Shakespeare Company, Royal Opera House, Southbank Centre, and The Old Vic.

Related: Black Basta Ransomware Becomes Major Threat in Two Months

Related: It Doesn’t Pay to Pay: Study Finds Eighty Percent of Ransomware Victims Attacked Again

Related: Cyberattack Causes Disruptions at Car Rental Giant Sixt