
High-profile MSP Synoptek paid the attackers off to get decryption keys after it was infested this week by the potent Sodinokibi strain of ransomware, KrebsOnSecurity reported.
The ransomware attack disrupted affairs at many of the Irvine, Calif.-based MSP’s clients, prompting the company to pay an unverified sum in ransom in hopes of restoring operations as quickly as possible, two Synoptek employees told KrebsOnSecurity. Once inside Synoptek’s systems, the intruders used a remote management tool to install the ransomware on client systems, a Synoptek client told KrebsOnSecurity.
Synoptek confirmed the attack but did not comment on whether it paid a ransom in order to remediate it.
“On Dec. 23, we experienced a credential compromise which has been contained,” Synoptek wrote in a Tweet just before 6 p.m. ET Friday. “We took immediate action and have been working diligently with customers to remediate the situation.” KrebsOnSecurity published its report on Synoptek just before 9 p.m. ET Friday.
[Related: The 10 Biggest Ransomware Attacks of 2019]
Synoptek CEO Tim Britt told CRN in an email that the “holiday attack” affected a subset of Synoptek’s 1,178 customers, and has since been contained and remediated. Britt said he was very proud of Synoptek’s team for responding on Christmas Day and remediating a vast majority of customer situations before the start of business on Dec. 26.
“We are 100 percent focused on assuring all customer impact is identified and resolved at this time,” Britt said in the email.
Britt did not respond to questions from CRN on whether the attack was ransomware, whether Synoptek paid a ransom to the attackers to get decryption keys or expedite its restoration efforts, or whether a remote management tool was used to install ransomware on the systems of Synoptek clients.
The U.S. Department of Homeland Security and State of California have been reaching out to state and local entities potentially affected by the Synoptek ransomware attack, sources told KrebsOnSecurity. News of the ransomware incident first appeared on Reddit, which lit up on Christmas Eve with posts from people working at companies affected by the attack, KrebsOnSecurity said.
The Sodinokibi strain of ransomware believed to have been used in the Synoptek attack encrypts data and demands a cryptocurrency payment in return for a digital key that unlocks access to infected systems, and is also known as “rEvil,” KrebsOnSecurity said. Sodinkokibi was also used in the Aug. 16 coordinated ransomware attack against 22 Texas municipalities.
The use of remote access tools to gain a foothold in client systems after infiltrating an IT service provider has been a repeat occurrence in attacks against solution providers, including the breach of Wipro and the ransomware attack against Texas towns. Since MSPs use remote access tools in the course of their regular business, it’s hard to determine that something is amok when they fall into the hands of hackers.
Synoptek has 736 employees, offices across North America, Europe and India, and expected to grow revenue by 14 percent in 2019 to $106 million, Britt told the Orange County Business Journal in August. Synoptek appeared on the Elite 150 of the 2019 CRN MSP 500 list, and has earned a spot on the CRN MSP 500 in five of the past six years.
The company was purchased by private equity giant Sverica Capital Management in November 2015. Synoptek has been aggressive acquirer in recent years, scooping up FusionStorm’s MSP business in August 2013, EarthLink’s $37 million IT services business in February 2016, enterprise software provider Indusa in July 2018, and Microsoft business consulting services firm Dynamic Resources in May 2019.
related stories
Video
trending stories
sponsored resources

Trend Micro
Managed Security 360

HubStor
Cloud Backup 360

Cysurance
Cyber Insurance 360

Tenable
Cyber Risk 360

Dell Technologies
Dell Technologies Cloud Learning Center

EPOS
EPOS

Fujifilm
Fujifilm

Application Integration 360

Mimecast
Mimecast

Comcast
Comcast Business Learning Center

Dell Technologies
Dell Technologies Server Learning Center

WatchGuard
WatchGuard

Hitachi Vantara
Hitachi Vantara

Dell Technologies
Dell Technologies Storage Learning Center

Carbonite
Cloud Storage 360

Sophos
Sophos Cybersecurity Learning Center

Webroot
Webroot Learning Center

BlackBerry
BlackBerry Learning Center

NPD
Industry Trends 360

Symantec
Symantec Business Security Learning Center

Channel Chief Showcase

Acer
Remote Workforce 360

Sherweb
Sherweb

APC by Schneider Electric
Digital Services for Edge Learning Center

VMware

StorageCraft
Disaster Recovery Learning Center

Vertiv
Edge Computing Learning Center

Wasabi
Wasabi

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Cradlepoint
5g for Business 360

Comm100
Collaboration & Communications 360

Veeam
Veeam

Trend Micro
Trend Micro Learning Center

eSentire
Managed Detection and Response 360
