Cloud-hosting Vendor Suffers Ransomware Attack

July 18, 2021

Cloudstar, which is a cloud-hosting and data security provider to title and settlement companies, was the target of a sophisticated ransomware attack in July.

At the time, Cloudstar President Chris Cury said he did not know when the company’s systems would be restored. Tetra Defense, a third-party forensics company, is assisting in recovery efforts. Law enforcement also has been informed, according to Cury. (According to Cloudstar's website, Tetra Defense concluded its forensic investigation and data recovery efforts connected with the July 16 cybersecurity incident.)

“Since our previous update, we have continued to work around the clock to assess the recoverability of customer data," Cury said. "While this process remains ongoing, we are beginning to reach out to certain customers individually in specific instances in which we have identified a path to data recovery. We are committed to providing our customers with updates as soon as we have more information. The singular focus of everyone at our company is restoring our customer’s data and helping them continue their operations as best as we possibly can."

Cloudstar operates six data centers in the United States, serving more than 42,000 users.

Ransomware is a type of malicious software, or malware, that encrypts data on a computer making it unusable. A malicious cybercriminal holds the data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable. Cybercriminals may also pressure victims to pay the ransom by threatening to destroy the victim’s data or to release it to the public. There were 2,474 ransomware incidents with adjusted losses of over $29.1 million reported to the FBI in 2020.

Several software vendors and title companies are offering their expertise and services to help ensure deals continue to close.

Shawn Fox, director of sales and marketing for Premier One, said his company is helping Cloudstar clients get set up in the Microsoft Azure cloud platform. SoftPro, RamQuest and Qualia are all offering help to get title companies set up in their systems. Fox said he’s heard some title companies that use Cloudstar are reaching out to other title companies to see if they can process orders.

“Unfortunately, these companies do not have any of their data since the backups were affected in this attack as well,” Fox said. “We are setting them up with a blank database of the production software to get them operational for (Monday). As of right now, if a title company has not made any plans and are just hoping that Cloudstar comes back, they will not be able to process any orders. A lot of the customers also had their emails hosted with Cloudstar, so they are also having a hard time with communication.”

Affected title and settlement companies should contact regulators in the states they conduct business. The same companies also should contact their cyber insurance providers.

Kevin Nincehelser, chief operating officer for Premier One, said they are telling title companies affected by the attack to focus on the minimum viable product, a version of a software with just enough features to be usable. This is core to any business continuity plan.

Nincehelser encourages agents to verify their security status and ensure there is not an active threat to IT assets. Title companies should restore email communications with access to their domain registrar and Domain Name System (DNS) account, such as GoDaddy. Nincehelser said this can be completed quickly utilizing Microsoft 365.

“Title companies should restore their ability to process new orders,” he added. “This can be accomplished by obtaining a new instance of their production software on-premises or hosted with an available vendor such as Premier One, OP2, SoftPro, or Qualia. Companies also must rebuild production processes and workflows. For many agents, the extensive customization to their production software will be lost. It’s best to begin rebuilding as soon as possible.”

If available, affected title and settlement companies should restore data if available or check with Cloudstar to access any data that was backed up.

Additionally, Nincehelser said companies should initiate legal and compliance protocols because many states have strict consumer reporting timelines.

“Evaluating this immediately is critical to staying in compliance with those timelines,” he said. Click here for a resource for state privacy laws.

Cybersecurity Ventures has predicted ransomware will cost companies $20 billion worldwide in 2021. According to the 2020 Internet Crime Report, the FBI received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million last year. These losses do not include estimates of lost business, time, wages, files or equipment, or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.

The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and /or fund illicit activities, according to the FBI. Paying the ransom also does not guarantee that a victim’s files will be recovered. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges companies to report ransomware incidents to their local field office or the IC3. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law and prevent future attacks.

The FBI reported that although cybercriminals use a variety of techniques to infect victims with ransomware, the most common means of infection are:

  • Email phishing campaigns: The cybercriminal sends an email containing a malicious file or link which deploys malware when clicked by a recipient. Cybercriminals historically have used generic, broad-based spamming strategies to deploy their malware, through recent ransomware campaigns have been more targeted and sophisticated. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cybercriminal to use a victim’s email account to further spread the infection.
  • Remote Desktop Protocol (RDP) vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems.
  • Software vulnerabilities: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware.
Ransomware Best Practices

The Cybersecurity & Infrastructure Security Agency (CISA) has developed a ransomware guide that includes industry best practices and a response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. 


Contact ALTA at 202-296-3671 or [email protected].