iNSYNQ Ransom Attack Possibly Caused by Phishing

KrebsOnSecurity has reported that a ransomware outbreak that compromised QuickBooks cloud hosting firm iNSYNQ in mid-July started with a phishing attack. A sales employee for iNSYNQ apparently fell victim to the hacker tactic, and hackers were free to romp around the iNSYNQ internal network for almost ten days. They then unleashed their ransomware.

iNSYNQ chief executive Elliot Luchansky briefed customers on the cause, current status, and future preventative measures the company plans to put in place during a virtual meeting on August 8th. “We could definitely have been better prepared, and it’s totally unacceptable,” Luchansky stated. “I take full responsibility for this. People waiting ridiculous amounts of time for a response is unacceptable.”

Luchansky told customers the company had to assume the hackers were watching and listening to entire recovery process in light of the company’s refusal to pay, so information regarding the situation was held close to the company chest early on.“That was done strategically for a good reason,” he said. “There were human beings involved with [carrying out] this attack in real time, and we had to assume they were monitoring everything we could say. And that posed risks based on what we did say publicly while the ransom negotiations were going on. It could have been used in a way that would have exposed customers even more. That put us in a really tough bind, because transparency is something we take very seriously. But we decided it was in our customers’ best interests to not do that.”

The attackers seeded iNSYNQ’s internal network with MegaCortex, a potent new ransomware strain. Some of their back up files were also infected. According to an analysis of MegaCortex published this week by Accenture iDefense, the crooks behind this ransomware strain are targeting businesses and demanding ransom payments in the range of two to 600 bitcoins.

iNSYNQ is still working with California-based CrowdStrike to investigate the full path of the attack, though dark web communications suggest the problem started on July 6, after an employee in iNSYNQ’s sales division fell for a targeted phishing email.

Luchansky said iNSYNQ was able to restore access to more than 90 percent of customer files by August 2nd. iNSYNQ is offering their customers a two month credit to compensate for the downtime caused by the incident.