Cyber Incident Victim: Synoptek
Date:
Dec 2019
Location:
United States of America
Summary
A managed IT services provider experienced a ransomware attack involving the Sodinokibi strain, which disrupted operations for numerous clients across various sectors. The incident stemmed from a credential compromise that allowed attackers to deploy ransomware via remote management tools onto customer systems. The provider paid an undisclosed ransom to obtain decryption keys, while state and federal agencies engaged in outreach to potentially affected entities. This attack aligns with a pattern of ransomware groups targeting IT service providers to amplify pressure for payment, leveraging widespread client disruptions and threats to publish stolen data from non-paying victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On December 23, 2019, Synoptek, an Irvine, California-based managed service provider supporting over 1,100 clients across government, healthcare, financial services, and other sectors, experienced a ransomware attack that disrupted operations for numerous customers. The incident first gained public attention through Reddit posts on December 24 from employees of affected client organizations, detailing widespread service outages. Synoptek acknowledged the event via a Twitter statement late on December 23, characterizing it as a "credential compromise which has been contained" while emphasizing immediate remediation efforts with customers. Internal sources confirmed the attackers deployed Sodinokibi ransomware (also known as REvil), which encrypted data and demanded cryptocurrency payments for decryption keys. These sources further verified Synoptek paid an undisclosed ransom to obtain the keys, though the company did not publicly confirm this action or respond to media inquiries.
The attack impacted Synoptek’s cloud hosting and IT management infrastructure, with intruders leveraging compromised credentials to access internal systems before using remote management tools to propagate ransomware to client environments. This caused operational disruptions across Synoptek’s customer base, prompting outreach by the State of California and U.S. Department of Homeland Security to potentially affected state and local entities. The Sodinokibi operators, known for targeting IT service providers to maximize collateral damage, employed tactics consistent with their previous attacks on firms like Complete Technology Solutions and PerCSoft, which respectively affected over 100 dental practices and 400 clients. Concurrently, the ransomware group intensified pressure by threatening to publish stolen data from victims who refused payment, mirroring strategies used by the Maze ransomware gang, which had established a public leak site listing non-paying victims earlier that month. Synoptek’s incident highlighted the systemic risks posed by ransomware campaigns targeting managed service providers with broad client networks.