Blue-Chip MSP Synoptek Hit By Ransomware, Paid Ransom To ‘Extortionists:’ Report

High-profile MSP Synoptek paid the attackers off to get decryption keys after it was infested this week by the potent Sodinokibi strain of ransomware, KrebsOnSecurity reported.

The ransomware attack disrupted affairs at many of the Irvine, Calif.-based MSP’s clients, prompting the company to pay an unverified sum in ransom in hopes of restoring operations as quickly as possible, two Synoptek employees told KrebsOnSecurity. Once inside Synoptek’s systems, the intruders used a remote management tool to install the ransomware on client systems, a Synoptek client told KrebsOnSecurity.

Synoptek confirmed the attack but did not comment on whether it paid a ransom in order to remediate it.

“On Dec. 23, we experienced a credential compromise which has been contained,” Synoptek wrote in a Tweet just before 6 p.m. ET Friday. “We took immediate action and have been working diligently with customers to remediate the situation.” KrebsOnSecurity published its report on Synoptek just before 9 p.m. ET Friday.

[Related: The 10 Biggest Ransomware Attacks of 2019]

Synoptek CEO Tim Britt told CRN in an email that the “holiday attack” affected a subset of Synoptek’s 1,178 customers, and has since been contained and remediated. Britt said he was very proud of Synoptek’s team for responding on Christmas Day and remediating a vast majority of customer situations before the start of business on Dec. 26.

“We are 100 percent focused on assuring all customer impact is identified and resolved at this time,” Britt said in the email.

Britt did not respond to questions from CRN on whether the attack was ransomware, whether Synoptek paid a ransom to the attackers to get decryption keys or expedite its restoration efforts, or whether a remote management tool was used to install ransomware on the systems of Synoptek clients.

The U.S. Department of Homeland Security and State of California have been reaching out to state and local entities potentially affected by the Synoptek ransomware attack, sources told KrebsOnSecurity. News of the ransomware incident first appeared on Reddit, which lit up on Christmas Eve with posts from people working at companies affected by the attack, KrebsOnSecurity said.

The Sodinokibi strain of ransomware believed to have been used in the Synoptek attack encrypts data and demands a cryptocurrency payment in return for a digital key that unlocks access to infected systems, and is also known as “rEvil,” KrebsOnSecurity said. Sodinkokibi was also used in the Aug. 16 coordinated ransomware attack against 22 Texas municipalities.

The use of remote access tools to gain a foothold in client systems after infiltrating an IT service provider has been a repeat occurrence in attacks against solution providers, including the breach of Wipro and the ransomware attack against Texas towns. Since MSPs use remote access tools in the course of their regular business, it’s hard to determine that something is amok when they fall into the hands of hackers.

Synoptek has 736 employees, offices across North America, Europe and India, and expected to grow revenue by 14 percent in 2019 to $106 million, Britt told the Orange County Business Journal in August. Synoptek appeared on the Elite 150 of the 2019 CRN MSP 500 list, and has earned a spot on the CRN MSP 500 in five of the past six years.

The company was purchased by private equity giant Sverica Capital Management in November 2015. Synoptek has been aggressive acquirer in recent years, scooping up FusionStorm’s MSP business in August 2013, EarthLink’s $37 million IT services business in February 2016, enterprise software provider Indusa in July 2018, and Microsoft business consulting services firm Dynamic Resources in May 2019.