iNSYNQ Continues Recovery From MegaCortex Ransomware AttackCloud Hosting Provider's Customers Affected
A week after a ransomware attack locked up customer files and data at online cloud hosting provider iNSYNQ, the company is continuing to recover and restore its internal infrastructure. It remains unclear how much longer this process will take, the company acknowledges.
The attack on iNSYNQ, a Gig Harbor, Washington-based company that offers virtual desktop infrastructure to customers as well as services to other companies that host Intuit Quickbooks apps on its infrastructure, started on July 16 and involved a relatively new strain of ransomware called MegaCortex, CEO Elliot Luchansky noted in a blog.
"While we caught the attack early, the malware was able to encrypt some files," Luchansky says in the Monday blog directed to customers. "We are currently working to determine if those are recoverable. You might see encrypted files on your desktop with .megacortex as an extension - they aren't available to access. If you need access to those files immediately, please check your local backups or contact support. Luckily, the vast majority of the files that were impacted (i.e., are encrypted) are smaller files and do not include QuickBooks or Sage files."
In the blog, Luchansky notes that the attackers did not steal any customer data, but rather encrypted the files with malware. The CEO did not say whether the attackers asked for a ransom or if the company was considering a payment.
Not much is known about MegaCortex, but security firm Sophos and other researchers first took notice of this ransomware variant in early January, with a significant uptick starting around May 1. Some security experts believe that MegaCotrex is the ransomware that took down accounting software giant Wolters Kluwer in early May, although the company never acknowledged what malware was involved in the incident, according to published reports (see: Malware Knocks Out Accounting Software Giant Wolters Kluwer).
Security vendor Malwarebytes found that MegaCortex likely spreads through a Trojan downloader such as Qbot or Emotet. "Once a corporate network has been compromised, the attackers try to gain access to a domain controller and spread across the entire network from there," according to Malwarebytes researchers.
In its second-quarter analysis of ransomware, Coveware found that the Ryuk, Dharma and Phobos variants still dominate, with MegaCortex far more rare (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).
Security blogger Brian Krebs first reported on the attack against iNSYNQ on Friday. He noted that several customers took to Twitter and other social media platforms to raise their concerns and displeasure over iNSYNQ's lack of clarity on the restoration of its services.
As part of the recovery effort, iNSYNQ was forced to take its entire infrastructure offline and then initiate back-ups to recover the data. This is the main reason why the company has taken over a week to restore services to customers, the company acknowledged in the Monday blog.
Responding to the criticism, Luchansky acknowledged that the recovery process has been slow because the company has been taking manually steps to recover files. In a separate post to customers late Monday, iNSYNQ noted that it had started using automation tools to help accelerate the process.
"The rate at which we're able to bring customers back online will accelerate early morning [Tuesday] as we leverage automation we've developed to expedite the process. We’ll reach out individually to customers as they come back online," according to the late Monday post.
The company could not be reached for comment on Tuesday.
Recovery & Accountability
The lagging accountability by iNSYNQ and the customer reaction to the ransomware attack is likely to hurt the company's business in the long run, says Rich Curtiss, a principal at Coalfire, a Colorado-based provider of cybersecurity advisory services. In some ways, it's reminiscent of how some victims of WannaCry and NotPetya responded in 2017.
"The iNSYNQ response is not unusual and reminiscent of the response by Nuance during the [NotPetya] ransomware campaign in May of 2017," Curtiss tells Information Security Media Group. "A lack of transparency with the customer base can be as damaging to the brand as the infiltration itself."
iNSYNQ appears to have lacked a data backup strategy and apparently did not have the proper architecture in place for a cloud service provider hosting this many customers.
"The ability to recover from a malicious software campaign should be routinely drilled as a part of a business continuity plan,” Curtiss says. “Waiting for an event to happen without proper training will delay the restoration, and customers may find another provider.”
Other security experts, however, say that the scale of the attack against iNSYNQ warrants a longer recovery time and that recovery of these types of cloud services is always a long endeavor.
"Downtime becomes worse when the network being targeted is a cloud service provider and the systems encrypted are those of its customers," says Chris Morales, head of security analytics at security firm Vectra.
"In a single attack, many organizations can be crippled from performing basic business functions, he says. “Early in January, DataResolution.net was hit by the Ryuk ransomware. DataResolution had 30,000 customers globally at that time."
Still, this type of attack can damage the reputation of any company, especially when cloud service providers are supposed to protect the infrastructure that their customers use to run their businesses.
"When customers get hit, that can be extremely damaging to the [cloud service provider’s] reputation, especially when security is often pitched as a reason for moving to the cloud," Morales says. "The lack of clear customer communication and incident response preparedness doesn't help either."
Managing Editor Scott Ferguson contributed to this report.