iNSYNQ Ransomware Attack Started With Phishing Email: Report

'It also looks like the intruders spent roughly 10 days rooting around iNSYNQ’s internal network to properly stage things before unleashing the ransomware,” Brian Krebs, who reports on cybercrime, writes in a post on his “Krebs on Security” blog. 'iNSYNQ ultimately declined to pay the ransom demand, and it is still working to completely restore customer access to files.'

A July ransomware attack on cloud hosting provider iNSYNQ that rendered its customers’ files inaccessible appears to have started with a successful phishing email to an iNSYNQ sales employee, according to a report out today.

“It also looks like the intruders spent roughly 10 days rooting around iNSYNQ’s internal network to properly stage things before unleashing the ransomware,” Brian Krebs, who reports on cybercrime, wrote in a post on his “Krebs on Security” blog today. “iNSYNQ ultimately declined to pay the ransom demand, and it is still working to completely restore customer access to files.”

Krebs said that some of those details came from a town hall-style meeting that iNSYNQ CEO Elliot Luchansky had yesterday with customers of the company, which markets virtual desktops, web appplication management and QuickBooks cloud hosting among other offerings.

In a statement to CRN, iNSYNQ refuted some unspecified details in Krebs’ report.

“We are working with a third-party cybersecurity firm in an ongoing investigation regarding this very information and cannot speak definitively regarding additional details on the attack until our investigation is complete,” the company said.

The Gig Harbor, Wash.-based iNSYNQ last month reported a July 16 ransomware attack by unknown “malicious” perpetrators that prompted it to take steps including turning off some servers. Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. The malware was able to encrypt some iNSYNQ customer files, the vast majority of which were smaller files and did not include QuickBooks or Sage files, according to the company. The attack also infected backups of customer data, Krebs reported.

Luchansky said the intruders seeded its internal network with MegaCortex, which Krebs described as a potent new ransomware strain, first discovered a few months ago, that’s being used in targeted attacks on enterprises. Luchansky did not disclose how much money the ransomware attackers were asking for, but the company did not oblige them, Krebs reported.

“It was a very substantial amount, but we had the money wired and were ready to pay it in cryptocurrency in the case that it made sense to do so,” Luchansky told customers, according to Krebs. “But we also understood [that paying] would put a target on our heads in the future, and even if we actually received the decryption key, that wasn’t really the main issue here. Because of the quick reaction we had, we were able to contain the encryption part” to about 50 percent of customer systems.

Accenture’s iDefense Cyber Threat Intelligence Blog reported on Monday that attackers using MegaCortex typically are demanding ransom of two to 600 bitcoins, which equates to $20,000 to $5.8 million.

The attackers’ ransom notes state that, “We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for ransom of course),” according to Accenture.

iNSYNQ is working with CrowdStrike, a Sunnyvale, Calif.-based cybersecurity technology company to gain a more complete picture of the ransomware attack, according to Krebs.

iNSYNQ’s hotline for customers affected by the outage can be reached at 1-866-356-6420.