Famed secure email service provider VFEmail has become a victim of a hack attack by an unknown cybercriminal. The company claims that it has suffered a “catastrophic destruction” of its US servers and almost two decades of data and backups in only a few hours.
The entire digital infrastructure of the company got destroyed by the attack. Started by Rick Romero in 2001, the Milwaukee, Wisconsin based email service provider offers services to end users as well as corporations and businesses.
The attack was identified early morning on February 11. The Twitter handle of VFEmail reported users who complained that they weren’t receiving messages anymore. Later on, the Twitter account posted this message:
“External facing systems, of differing OS’s and remote authentication, in multiple data centers are down.”
Reportedly, all the services of VFEmail were down and it was noticed that the attacker formatted almost everything. The Twitter account also reported that the email service provider “caught the perp in the middle of formatting the backup server.”
Romero also tweeted about the destructive attack on Tuesday morning: “Yes, @VFEmail is effectively gone. It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”
Yes, @VFEmail is effectively gone. It will likely not return.
I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.
— Havokmon (@Havokmon) February 12, 2019
According to VFEmail, the attacker formatted all the disks on the US servers of the company and every single virtual machine was lost including every file, primary, and backup data.
Interestingly, all the virtual machines didn’t share the same authentication but all of them got destroyed. Apparently, the attack was much more than a regular multi-password SSH exploit. It is worth noting that the attacker simply wiped all the data and didn’t ask for ransom.
Romero informed users via the company’s website that new email was underway and they were trying to recover as much data as they can. They contacted Brian Krebs from KrebsOnSecurity on Tuesday and they could recover a backup drive that was hosted from the Netherlands. However, the company fears that US users’ data may never be recovered.
“At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK. If you reconnect your client to your new mailbox, all your local mail will be lost,” read Romero’s statement on VFEmail’s website.
It isn’t clear who is the attacker and how did he manage to pull this off but the company did identify an IP address 94[.]155[.]49[.]9 that is registered in Bulgaria. They also learned about the username involved in causing the fiasco, which was aktv.
Romero stated that the attacker might have used various means of access including a virtual machine to access the company’s email infrastructure, which is why their security measures including 2FA authentication couldn’t prevent the attack. VFEmail’s website is not active but all of the company’s secondary domains (vfemail.net) are yet unavailable.