Cloud-based virtual desktop provider hit by ransomware

Some customer backup files were encrypted, delaying recovery operations. Outage has now reached a week.

iNSYNQ status update

iNSYNQ, a cloud computing provider of virtual desktop environments, has been down in a major outage that has lasted nearly a week after its servers were infected last Tuesday, July 16, with ransomware.

Impacted aren't just iNSYNQ's direct customers, but also companies who use its infrastructure to host Intuit Quickbooks web-based apps and accounting services.

Ransomware attacks are a problem for web hosting firms

For the past week, iNSYNQ has been getting blasted on social networks and on web hosting review sites for its lack of updates and the unusually long amount of time it needed to resolve the outage.

Typical web hosting outages only last a few hours, and rarely do they last for more than a day.

However, iNSYNQ's servers were locked with ransomware, a type of cyberattack whose time-consuming recovery steps are incompatible with an always-on business like "web hosting," where everything needs to be working at full power, almost all the time.

After its infection last week, iNSYNQ was forced to immediately take down its infrastructure to prevent the ransomware from spreading to more systems.

Recovery operations involved reinstalling hundreds and thousands of servers, and then restoring backups, if the files were available.

Such operations are time-consuming, and have taken the company around six days to complete, during which time it's public image was dragged through the dirt by angry customers.

iNSYNQ was hit by MegaCortex

In a blog post published today, iNSYNQ CEO Elliot Luchansky revealed for the first time the name of the ransomware that has caused so many problems to its engineers. Named MegaCortex, this is a relatively new ransomware strain that's been spotted for the first time in early May.

At the time, Sophos reported that the criminal gang behind this new threat was going after large companies, and not targeting home consumers, like most ransomware strains have done in the past.

iNSYNQ is now the highest profile victim the MegaCortex gang has made, and one that proves the group behind this threat isn't just a pack of amateurs.

TechRepublic: Top desktop as a service (DaaS) providers: Amazon, Citrix, Microsoft, VMware, and more

Some iNSYNQ backup files were encrypted

But while recovery efforts have taken almost a week, Luchansky said today that iNSYNQ is finally starting to grant customers access to their virtual desktops.

However, the recovery operations have not been entirely successful, and some customers still don't have access to some personal files and account backups, the CEO said.

"While we caught the attack early, the malware was able to encrypt some files," the iNSYNQ CEO said. "We are currently working to determine if those are recoverable.

"You might see encrypted files on your desktop with .megacortex as an extension," Luchansky added. "They aren't available to access."

"Luckily, the vast majority of the files that were impacted (i.e., are encrypted) are smaller files and do not include QuickBooks or Sage files," he said.

The iNSYNQ CEO is urging customers to have patience. "Files and data may take time to populate to your account," he said.

Luchansky estimates it will take his staff several days before they manage to restore all customer accounts. He's also instructing customers who still have encrypted files on their virtual desktops to use older backups to restore the files, or reach out to his staff for additional help.

Ransomware incidents that touch web hosting firms are notoriously difficult to handle and always problematic and time-consuming.

This is why the largest ever ransom payment ever paid for a ransomware infection is connected to a web hosting firm. In June 2017, South Korean web hosting firm Internet Nayana paid 1.3 billion won ($1.14 million) worth of bitcoins to regain access to its servers and backups.

In May, A2 Hosting, a Windows Server hosting provider was also hit by ransomware. Just like iNSYNQ, the company took around a week to start giving users access back to their servers, an operation that took around a month to complete.

Related malware and cybercrime coverage: