A ransomware attack on Cloudstar, which provides cloud hosting for title insurance applications, is threatening to derail mortgage closings and put sensitive client information at risk.
A ransomware attack on a company that provides cloud hosting for title insurance applications is threatening to derail closings and put sensitive client information at risk.
Cloudstar, which claims to operate the nation’s largest privately held settlement services cloud, first reported a “possible service interruption” affecting a “portion of our customers” on Friday, July 16.
Two days later, Cloudstar revealed that the company had in fact discovered on Friday that it “was the victim of a highly sophisticated ransomware attack.” In a Sunday, July 18, notice, Cloudstar said it had hired a third-party forensics expert, Tetra Defense, “to assist us in our recovery efforts and also informed law enforcement. Negotiations with the threat actor are ongoing.”
In another update Monday, the company said its Office 365 mail services, email encryption, and technical support services were “still fully operational and secure.”
On its website, Cloudstar says it operates six U.S. data centers, providing virtual desktop hosting and other services to more than 42,000 users.
Cloudstar says it offers cloud hosting for clients who use title insurance applications including SoftPro, RamQuest, ResWare, TitleExpress, Impact, RBJ Edge, Streamline, TitleScan, HalFile, LanTec, Double Time, Closer’s Choice and GreenFolders.
Cloudstars clients are title agents and other end users, not the software providers themselves, many of whom were quick to reassure clients.
SoftPro, for example, posted a notice on the company’s website Tuesday reassuring customers that the ransomware attack “has in no way impacted the functionality of SoftPro products or services. SoftPro was not breached or impacted in any way by this incident. Additionally, we have received no reports of impact from our integrated partners.”
Similarly, RamQuest said it had “not not been impacted by this ransomware attack as Cloudstar does NOT host information for RamQuest. We do not anticipate interruption to our service related to the Cloudstar ransomware attack.”
However, the company said, “If you use Cloudstar’s services [to host RamQuest’s title production software], we’re here to help and will make our solution available to you.”
HalFILE CTO Christopher Smith told Inman via email that he was “not aware of any current customers on the Cloudstar platform. We have had a few in the past that elected to move away from Cloudstar.”
Smith said HalFILE’s recommendation to customers who move to any cloud provider, “is to ensure that they have more than one cloud provider providing backup of their plant data and images that are not tied to the same network. In the case of our own cloud offering we utilize Wasabi to store offline disaster recovery backups that can be used to restore in the case of a ransomware or malware attack.”
Premier One COO Kevin Nincehelser told the American Land Title Association that title companies can restore their ability to process new orders “by obtaining a new instance of their production software on-premises or hosted with an available vendor such as Premier One, OP2, SoftPro, or Qualia.”
Nincehelser noted that companies will have to rebuild production processes and workflows, and many title agents will lose customizations made to their production software. So it’s best to start rebuilding “as soon as possible,” he said.
In its latest notice about the attack, posted Tuesday night, Cloudstar said it was “continuing to work around the clock with our third-party experts to investigate the nature and scope of this attack.”
The company said it would provide more information on when it expected to be up and running “as soon as we have a definitive timeline.”
In the meantime, the company said, “We are still very much so in the containment and remediation phase and appreciate our valued partners’ patience at this time.”
Cloudstar responded to Inman’s request for comment with a statement that summarized information previously provided on the company’s system status page.
The Cybersecurity & Infrastructure Security Agency (CISA) released a ransomware guide on Sept. 30, providing industry best practices and a response checklist to “inform and enhance network defense and reduce exposure to a ransomware attack.”
Have you experienced delays in closings due to the Cloudstar ransomware attack? Email the author.
Email Matt Carter