[BreachExchange] Blue-Chip MSP Synoptek Hit By Ransomware, Paid Ransom To ‘Extortionists:’ Report

Destry Winant destry at riskbasedsecurity.com
Mon Dec 30 10:27:40 EST 2019


High-profile MSP Synoptek paid the attackers off to get decryption
keys after it was infested this week by the potent Sodinokibi strain
of ransomware, KrebsOnSecurity reported.

The ransomware attack disrupted affairs at many of the Irvine,
Calif.-based MSP’s clients, prompting the company to pay an unverified
sum in ransom in hopes of restoring operations as quickly as possible,
two Synoptek employees told KrebsOnSecurity. Once inside Synoptek’s
systems, the intruders used a remote management tool to install the
ransomware on client systems, a Synoptek client told KrebsOnSecurity.

Synoptek confirmed the attack but did not comment on whether it paid a
ransom in order to remediate it.

“On Dec. 23, we experienced a credential compromise which has been
contained,” Synoptek wrote in a Tweet just before 6 p.m. ET Friday.
“We took immediate action and have been working diligently with
customers to remediate the situation.” KrebsOnSecurity published its
report on Synoptek just before 9 p.m. ET Friday.

Synoptek CEO Tim Britt told CRN in an email that the “holiday attack”
affected a subset of Synoptek’s 1,178 customers, and has since been
contained and remediated. Britt said he was very proud of Synoptek’s
team for responding on Christmas Day and remediating a vast majority
of customer situations before the start of business on Dec. 26.

“We are 100 percent focused on assuring all customer impact is
identified and resolved at this time,” Britt said in the email.

Britt did not respond to questions from CRN on whether the attack was
ransomware, whether Synoptek paid a ransom to the attackers to get
decryption keys or expedite its restoration efforts, or whether a
remote management tool was used to install ransomware on the systems
of Synoptek clients.

The U.S. Department of Homeland Security and State of California have
been reaching out to state and local entities potentially affected by
the Synoptek ransomware attack, sources told KrebsOnSecurity. News of
the ransomware incident first appeared on Reddit, which lit up on
Christmas Eve with posts from people working at companies affected by
the attack, KrebsOnSecurity said.

The Sodinokibi strain of ransomware believed to have been used in the
Synoptek attack encrypts data and demands a cryptocurrency payment in
return for a digital key that unlocks access to infected systems, and
is also known as “rEvil,” KrebsOnSecurity said. Sodinkokibi was also
used in the Aug. 16 coordinated ransomware attack against 22 Texas

The use of remote access tools to gain a foothold in client systems
after infiltrating an IT service provider has been a repeat occurrence
in attacks against solution providers, including the breach of Wipro
and the ransomware attack against Texas towns. Since MSPs use remote
access tools in the course of their regular business, it’s hard to
determine that something is amok when they fall into the hands of

Synoptek has 736 employees, offices across North America, Europe and
India, and expected to grow revenue by 14 percent in 2019 to $106
million, Britt told the Orange County Business Journal in August.
Synoptek appeared on the Elite 150 of the 2019 CRN MSP 500 list, and
has earned a spot on the CRN MSP 500 in five of the past six years.

The company was purchased by private equity giant Sverica Capital
Management in November 2015. Synoptek has been aggressive acquirer in
recent years, scooping up FusionStorm’s MSP business in August 2013,
EarthLink’s $37 million IT services business in February 2016,
enterprise software provider Indusa in July 2018, and Microsoft
business consulting services firm Dynamic Resources in May 2019.

More information about the BreachExchange mailing list