MSP Synoptek Hit by Ransomware

The Computer ShopSecurity & Privacy

Managed service provider Synoptek fell victim to the Sodinokibi ransomware, which spread to some of its clients. Find out what you can do to protect your business’s systems from being invaded.

Synoptek, a managed service provider (MSP) based in California, now knows what it feels like to have crucial IT operations come to a screeching halt. In late December 2019, it became a victim of a ransomware attack. Although Synoptek has been somewhat tight-lipped about the attack, reports from clients and anonymous sources within the company are shedding some light on what happened.

 

The Attack

The first indication that Synoptek was under attack appeared on Reddit. Affected Synoptek clients began sharing information about the issues they were experiencing as well as their feelings of frustration about not being immediately told what was going on. “Everything is just fine and dandy according to the status page” wrote one dismayed client.

Synoptek eventually released a statement on Twitter noting that “On Dec 23, we experienced a credential compromise which has been contained; we took immediate action and have been working diligently with customers to remediate the situation.”

Two anonymous sources within the company later indicated that Synoptek was hit by the Sodinokibi (aka REvil) ransomware. They also revealed that Synoptek paid the ransom so it could get the decryption keys that it and its clients needed to decrypt their files.

In a subsequent email to CRN, Synoptek CEO Tim Britt indicated that the attack affected a subset of Synoptek’s 1,178 customers. He did not confirm or deny that it was a ransomware infection.

 

The Sodinokibi Ransomware

The Sodinokibi ransomware targets Windows systems. Although it has only been in existence since April 2019, it is a serious threat, according to experts. It has advanced capabilities, many of which are configurable. For example, the ransomware can elevate privileges, terminate blacklisted processes prior to encryption to eliminate resource conflicts, and encrypt files on local storage devices and network shares.

Another noteworthy characteristic of Sodinokibi is that cybercriminals have been using it to target IT service providers. For example, it was used to attack MSPs in Colorado and Wisconsin earlier in 2019.

Cybercriminals targeting MSPs is not a new development, though. The National Cybersecurity and Communications Integration Center issued an alert about this trend back in October 2018. NCCIC is part of the US Department of Homeland Security.

 

Now Is Not the Time to Be Shy

Since MSPs are prime targets for ransomware and other types of malware attacks, it is important for you to make sure that all the IT service providers you use have a comprehensive security strategy in place. Ask questions — with MSP attacks increasing, now is not the time to be shy.

We’d be happy to answer any questions you might have about our security strategy. In addition, we can recommend measures you can take to better protect your systems, such as restricting MSP accounts to only the systems they manage and using firewalls to protect high-risk servers and networks.

Ransomware Yellow flickr photo by Infosec Images shared under a Creative Commons (BY) license