Recently in mid of July 2019, a ransomware outbreak that hit iNSYNQ, a QuickBooks cloud hosting firm. This cyberattack appears to have started with an email phishing that trapped an employee working in sales for the company.
It is further said that interlopers have been in the internal networks of iNSYNQ for roughly ten days before releasing Ransomware. iNSYNQ have declined to pay the ransomware demand and still to work to completely restore customer access to files.
On August 8, 2019, chief executive of iNSYNQ, Elliot Luchansky briefed their customers on how it went down and what the company is doing to prevent such outages in the future.
When iNSYNQ took its network offline on July 16 due to ransomware attack, some of their accounting customers took it to social media complaining that iNSYNQ was stonewalling them.
Interlopers implanted internal networks with MegaCortex – potent new Ransomware spotted just a few months ago. MegaCortex Ransomware is used to target enterprises, said Luchansky. He also added that the attack appears to be planned carefully out in advance and executed “with human intervention all the way through.”
The actual ransomware price asked by interlopers is being not mentioned by Luchansky, but he said that the two key factors that informed the company to decide not to pay up.
According to an analysis of MegaCortex by Accenture iDefense, they mentioned in their report that crooks behind this MegaCortex Ransomware are targeting businesses and enterprises – not to home users. Interlopers are demanding ransomware payments of two to 600 bitcoins, which is roughly around $20,000 to $5.8 million.
Ransomware note reads something like this by the latest version of MegaCortex, “We are working for profit. The core of this criminal business is to give back your valuable data in the original form (for the ransom of course)”.
In the town hall meeting, Luchansky did not mention when precisely initial phishing attack occurred, adding that iNSYNQ is working with California based CrowdStrike to gain a complete picture of the attack.
But Alex Holden founder of cyber intelligence firm, Hold Security based in Milwaukee, analyzed the KrebsOnSecurity information and monitored dark web communications which indicated that problem started on July 6, when an employee of iNSYNQ’s sales department fell for a targeted phishing email.
For hackers, it takes the time of days, weeks or even months to encrypt data and at the initial stage of ransomware infection, if company act promptly can still detect and stop the ransomware attack, said Holden.
It was asked to Luchansky whether the company has backups for the customer data and if so, why iNSYNQ decided not to restore those. To that Luchansky said that the reserves were there but those were also infected.
The backups were taken of the primary system, and the method of iNSYNQ was architected in a way that malware spread into the backups as well, at least little bit. So if they turn on the backups that might impact the whole backup system as the virus would start spreading through it. Hence, for these reasons, they are treating backups and primary systems on the same level, added by Luchansky.
The CEO said that the backup system had been repaired and it would take days instead of weeks to recover in the future if a similar attack happened. After all, iNSYNQ will be partnering with a company that helps firms detect and block phishing attacks and will be offering their customers at discounted prices.
But the CEO didn’t answer the questions of employee anti-phishing education and/or testing service. In the end, Luchansky said that we were able to restore access to more than 90 percent of customer files by Aug.2, roughly two weeks later after the Ransomware outbreak, which initiated with just email phishing.
The company will be now offering their customers a two-month credit as a result of the outage.
Bottom of the Line
After reading the whole cyber-attack, you have noticed it just started with an email phishing and led to the MegaCortex ransomware attack. It is true “precautions is better than cure.” Protect your data and network before it gets late.
Contact Fusion Factor for free cybersecurity assessment for your business and check out is your firm being saved from phishing and ransomware attacks.