Inside the Insynq attack: ‘We had to assume they were listening’

While cloud hosting provider Insynq posted a message online within an hour of identifying a major ransomware attack on July 16, and followed up with one or two mass emails to customers each day afterward, the company had to put limits on the information it shared — to avoid giving its attackers an edge.

“A lot of people were frustrated that we weren’t sharing enough, and I understand that,” CEO Elliot Luchansky told attendees at an online town hall hosted by technology consultant Joe Woodard on Thursday. “We were withholding information — but that was done strategically for a very good reason. This was a ransomware attack, and there were human beings involved in real-time in carrying out the attack, so we had to assume they were monitoring what we said.”

“We were negotiating a ransom while sharing information publicly — it put us in a really tough bind,” Luchansky continued. “Transparency is something we take very seriously — we would have preferred to handle it totally open book, but that wouldn’t have been in the best interests of our customers. We had to assume that the attackers were listening.”

“Not showing your hand is part of winning that battle,” confirmed Woodard.

In the end, though, the company decided not to pay the ransom the attackers demanded.

“A few factors played into that,” Luchansky said. “The cybercriminal community is constantly sharing things with each other. We had reason to believe if we paid the ransom — a very substantial amount that we were ready to pay in cryptocurrency — it would put a target on our head in the future.”

What’s more, because the company had identified the attack early and taken immediate steps against it, much less of its data was maliciously encrypted by the attackers, so paying them to decrypt it was a less pressing concern than dealing with the malware that had come along with the attack.

“Even if we received the decryption key, that wasn’t the main issue here,” Luchansky said. “Because of our quick reaction, we were able to contain the encryption part, so we were much more concerned about the malware — and you don’t get help for that by paying the ransom.”

Anatomy of an attack

As part of the town hall, Luchansky gave a detailed account of the attack and the outage.

“On July 16, we were the target of a sophisticated criminal organization that triggered a highly targeted, carefully planned ransomware attack on one of our primary data centers, affecting more than 50 percent of our customer base,” he explained.

The attackers were targeting Insynq specifically, not just the data center the company uses, and they employed a previously unknown variant of the MegaCortex ransomware virus that they introduced through a phishing attack.

Even as the ransomware began encrypting company and client data to hold hostage, the attack also unleashed what Luchansky called “a hurricane of malware spreading like wildfire at the same time.”

“We identified the attack in a matter of minutes, and that positioned us to preserve way more data than we might have otherwise,” he continued. “We immediately shut down that data center — we pulled the plug to minimize the impact of lost data. We could tell there was an attack going on; we didn’t know much about it, but we took the executive decision to shut down, knowing that would mean an outage for our customers.”

Recovery was complicated by the fact that the malware had also gotten into some of the company’s backups. “We had to treat the backups how we were treating the primary system, so it wouldn’t spread the problem,” Luchansky explained.

Ransomware attacks per minute 2019 chart

The recovery

Luchansky reported that as of last week, more than 90 percent of Insynq’s users were able to log in and access their files, so they could download and use them in a local version of QuickBooks.

“At this point, we have the majority of our customers fully functional on their desktops, with data as of an hour before the attack,” he said. “Right after, we focused on providing access to as many of the apps as possible, prioritized by what’s most important and most used by our customer base.” He noted that QuickBooks will be at the top of the list, along with Microsoft and Sage.

In terms of making customers whole, the company is already giving customers credit for all the days of the outage, but Luchansky expects to do much more, with plans to offer as much as two full months of credit.

“We’re still working out the details now,” he said, “but we’re going to go well above and beyond — think of it as 6x of what’s gone so far.”

Insynq has also taken a number of steps to prepare against future events of this kind:

  • Implementing “next-gen” anti-malware software that uses artificial intelligence and behavioral pattern recognition to recognize suspicious behavior.
  • Developing new backup systems that prevent attacks from spilling over.
  • Creating a faster restore process, with the aim of being able to get customers back in business in days, rather than weeks.
  • Investigating creating a “business continuity” option that would maintain a full mirrored environment of a user’s systems, so they could switch over instantly at the first sign of an attack (though Luchansky noted that this kind of service would cost significantly more).
  • Hiring a cybersecurity technology company, CrowdStrike, to investigate the breach.
  • Partnering with a third party for the capability to flexibly expand its communication channels in response to spikes in customer demand.
  • Adding a chief information security officer-level position, and boosting employee training around cybersecurity.

“It is one thing to prepare for these events — but it’s an entirely different experience to live through one firsthand,” Luchansky said. “The silver lining here is that we are way better positioned and have better tools and know so much better what this really looks like to take preventive measures to lower the risk of this happening again, and taking steps to be prepared.

For reprint and licensing requests for this article, click here.