Closings in Jeopardy as Cloud-hosting Vendor Suffers Ransomware Attack

July 18, 2021

Cloudstar, which is a cloud-hosting and data security provider to title and settlement companies, remained offline after being the target of a sophisticated ransomware attack.

Cloudstar President Chris Cury said he does not know when the company’s systems will be restored. Third-party experts are assisting in recovery efforts. Law enforcement also has been informed, according to Cury.

“Due to the nature of this attack, at this time our systems are currently inaccessible, and although we are working around the clock, we do not have a definitive restoration timeline,” Cury said. “We will continue to investigate this incident and provide updates to our customers as we have additional information to share.”  

Cloudstar operates six data centers in the United States, serving more than 42,000 users.

Ransomware is a type of malicious software, or malware, that encrypts data on a computer making it unusable. A malicious cybercriminal holds the data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable. Cybercriminals may also pressure victims to pay the ransom by threatening to destroy the victim’s data or to release it to the public. There were 2,474 ransomware incidents with adjusted losses of over $29.1 million reported to the FBI in 2020.

Several software vendors and title companies are offering their expertise and services to help ensure deals continue to close.

Shawn Fox, director of sales and marketing for Premier One, said his company is helping Cloudstar clients get set up in the Microsoft Azure cloud platform. SoftPro, RamQuest and Qualia are all offering help to get title companies set up in their systems. Fox said he’s heard some title companies that use Cloudstar are reaching out to other title companies to see if they can process orders.

“Unfortunately, these companies do not have any of their data since the backups were affected in this attack as well,” Fox said. “We are setting them up with a blank database of the production software to get them operational for (Monday). As of right now, if a title company has not made any plans and are just hoping that Cloudstar comes back, they will not be able to process any orders. A lot of the customers also had their emails hosted with Cloudstar, so they are also having a hard time with communication.”

Affected title and settlement companies should contact regulators in the states they conduct business. The same companies also should contact their cyber insurance providers.

Kevin Nincehelser, chief operating officer for Premier One, said they are telling title companies affected by the attack to focus on the minimum viable product, a version of a software with just enough features to be usable. This is core to any business continuity plan.

Nincehelser encourages agents to verify their security status and ensure there is not an active threat to IT assets. Title companies should restore email communications with access to their domain registrar and Domain Name System (DNS) account, such as GoDaddy. Nincehelser said this can be completed quickly utilizing Microsoft 365.

“Title companies should restore their ability to process new orders,” he added. “This can be accomplished by obtaining a new instance of their production software on-premises or hosted with an available vendor such as Premier One, OP2, SoftPro, or Qualia. Companies also must rebuild production processes and workflows. For many agents, the extensive customization to their production software will be lost. It’s best to begin rebuilding as soon as possible.”

If available, affected title and settlement companies should restore data if available or check with Cloudstar to access any data that was backed up.

Additionally, Nincehelser said companies should initiate legal and compliance protocols because many states have strict consumer reporting timelines.

“Evaluating this immediately is critical to staying in compliance with those timelines,” he said. Click here for a resource for state privacy laws.

The FBI reported that although cybercriminals use a variety of techniques to infect victims with ransomware, the most common means of infection are:

  • Email phishing campaigns: The cybercriminal sends an email containing a malicious file or link which deploys malware when clicked by a recipient. Cybercriminals historically have used generic, broad-based spamming strategies to deploy their malware, through recent ransomware campaigns have been more targeted and sophisticated. Criminals may also compromise a victim’s email account by using precursor malware, which enables the cybercriminal to use a victim’s email account to further spread the infection.
  • Remote Desktop Protocol (RDP) vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data of a computer over the internet. Cyber criminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware—including ransomware—to victim systems.
  • Software vulnerabilities: Cyber criminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware.
Ransomware Best Practices

The Cybersecurity & Infrastructure Security Agency (CISA) has developed a ransomware guide that includes industry best practices and a response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans. 


Contact ALTA at 202-296-3671 or