Backup appliance supplier ExaGrid has paid a $2.6m ransom to cybercriminals that targeted the company with Conti ransomware. The ransom was born in the form of 50.75 bitcoins on 13 May, according to information gained by ComputerWeekly.com’s French sister publication LeMagIT. Accession to the ransomware attacker’s demands was made more embarrassing when the backup appliance supplier – which makes a big play of its strengths against ransomware – accidentally deleted the decryption tool and had to ask for it again.
Submission to the ransomware attack came in the same month as US pipeline operator Colonial Pipeline paid $4.5m after being hit by Darkside ransomware. The Irish health service was also targeted by Conti ransomware. The negotiations, to which LeMagIT had access, began on 4 May with a person titled “IT lead technician with ExaGrid Systems”. The cybercriminals got straight to the point and said: “As you already know, we infiltrated your network and stayed in it for more than a month (enough to study all of your documentation), encrypted your file servers, SQL servers, downloaded all important information with a total weight of more than 800GB.”
They described how they had got hold of the personal data of clients and employees, commercial contracts, NDA forms, financial data, tax returns, and source codes. The initial ransom demanded was $7,480,000. ExaGrid wanted to test the decryption on a sample, and a photo of the front of an ExaGridEX63000E NAS box was provided. Negotiations continued and lasted until 13 May. Throughout this period, the attackers shared files with ExaGrid via Sendspace to show what they had been able to access. Some archives shared in this way were not deleted for some time after negotiations finished and could still be downloaded.
The cybercriminal negotiator seemed more experienced than others. After an initial offer from ExaGrid of more than $1m, she responded: “Thank you for your efforts. This is a fair and reasonable initial offer. We now have the opportunity to negotiate. We are prepared to offer you a discount of $1m. Your fee will now be $6,480,000.” In contrast to the heavy-handed approach of other cybercriminals, the negotiator added: “We understand that your work here is not easy and requires some effort to convince the members of your board. But, we are still far from agreement.”
A week later, the ExaGrid negotiator raised their offer to $2.2m. The cybercriminals then reduced their demand to $3m. At that point, the exchanges intensified as the two parties sought to reach an accord quickly. That came soon with an agreement at $2.6m, and the Bitcoin address indicated that the negotiated amount was paid. The decryption tool was provided via an account at Mega. Nz, where the stolen data was stored. The data and the charges were immediately deleted.
But then, two days later, the ExaGrid negotiator asked for the decryption tool to be sent again because “we deleted it by accident”. The cybercriminals made it available for download the next day. The attack is particularly embarrassing for Exagrid, which last December announced it had won seven industry awards, as well as the launch of a new solution for restores following ransomware attacks. On its website, on the subject of ransomware, ExaGrid says: “ExaGridoffers a unique approach to ensure that attackers cannot compromise the backup data, allowing organizations to be confident that they can restore the affected primary storage and avoid paying ugly ransoms.” ExaGrid has been asked for comment but was not available at the time of publishing.
