Cyber Incident Victim: Stor-a-File

The ransomware attack on Stor-a-File occurred in September 2021 after threat actors exploited an unpatched vulnerability (CVE-2021-35211) in SolarWinds' Serv-U FTP server software. Microsoft had disclosed this critical flaw in July 2021, specifically affecting Serv-U versions 15.2.3 HF1 and earlier. Stor-a-File was running one of these vulnerable versions, which the Clop ransomware gang leveraged for initial access to the company's systems. Upon discovering the breach, Stor-a-File immediately contacted the UK Information Commissioner's Office (ICO) and law enforcement authorities. The company later notified affected clients after determining their data might have been compromised. Stor-a-File publicly confirmed it refused to pay the ransom demand. Subsequent analysis by NCC Group revealed that 2,784 Serv-U instances worldwide remained publicly accessible and vulnerable three months after Microsoft's patch release, indicating widespread exposure to this attack vector.

The breach compromised sensitive medical records processed by Stor-a-File, including HIV test results, genitourinary clinic records, oncology files, and human resources documents. At least one medical-sector client was impacted, though Stor-a-File did not publicly identify affected organizations. Archived web records showed the company had provided document conversion services to the UK National Health Service for over 35 years, though the NHS scanning service page was removed post-incident. The Clop gang leaked some stolen data on a Tor-based blog, consistent with their double-extortion tactics previously observed in attacks such as the Bombardier breach involving FTP software exploitation. Stor-a-File responded by eliminating all third-party software from its secure systems to prevent future compromises. The incident exposed vulnerabilities in legacy document management infrastructure used by healthcare-adjacent service providers.