Backup appliance supplier ExaGrid has paid a $2.6m ransom to cybercriminals that targeted the company with Conti. The ransom was born in the form of 50.75 bitcoins on 13 May, according to information gained by ComputerWeekly.com’s French sister publication . Accession to the ransomware attacker’s demands was made more embarrassing when the supplier – which makes a big play of its strengths against ransomware – accidentally deleted the decryption tool and had to ask for it again.
Submission to the ransomware attack came in the same month as US$4.5m after being hit by Darkside ransomware. The Irish health service was also targeted . The negotiations, to which LeMagIT had access, began on 4 May with a person titled “IT lead technician with ExaGrid Systems”. The cybercriminals got straight to the point and said: “As you already know, we infiltrated your network and stayed in it for more than a month (enough to study all of your documentation), encrypted your file servers, SQL servers, downloaded all important information with a total weight of more than 800GB.”
They described how they had gotdata of clients and employees, commercial contracts, NDA forms, financial data, tax returns, and source codes. The initial was $7,480,000. ExaGrid wanted to test the decryption on a sample, and a photo of the front of an ExaGridEX63000E NAS was provided. Negotiations continued and lasted until 13 May. Throughout this period, the attackers with ExaGrid via Sendspace to show what they had been able to access. Some archives shared in this way were not deleted for some after negotiations finished and could still be downloaded.
The cybercriminal negotiator seemed more experienced than others. After an initial offer from ExaGrid of more than $1m, she responded: “Thank you for your efforts. This is a fair and reasonable initial offer. We now have the opportunity to negotiate. We are prepared toof $1m. Your fee will now be $6,480,000.” In contrast to the heavy-handed approach of other cybercriminals, the negotiator added: “We understand that your work here is not easy and requires some effort to convince the . But, we are still far from agreement.”
A week later, the ExaGrid negotiator raised their offer to $2.2m. The cybercriminals then reduced their demand to $3m. At that point, the exchanges intensified as the two parties sought to reach an accord quickly. That came soon with an agreement at $2.6m, and the Bitcoin address indicated that the negotiated amount was paid. The decryption tool was provided via an account at Mega. Nz, where thewas stored. The .
But then, two days later, the ExaGrid negotiator asked for the decryption tool to be sent again because “we deleted it by accident”. The cybercriminals made itthe next day. The attack is particularly embarrassing for Exagrid, which it had won seven industry awards, as well as the launch of a new solution for restores following ransomware attacks. On its website, on the subject of ransomware, ExaGrid says: “ExaGridoffers a unique , allowing organizations to be confident that they can restore the affected primary storage and avoid paying ugly ransoms.” ExaGrid has been asked for comment but was not available at the time of publishing.