Backup software provider paid cybercriminals to regain data

Jun 2, 2021 11:24 GMT  ·  By

ExaGrid has paid a $2.6 million ransom to cybercriminals who targeted the company with the Conti ransomware, according to Computer Weekly

According to information obtained by LeMagIT, the ransom was paid in the form of 50.75 Bitcoins on May 13.

The caving in to the ransomware attackers' demands became even more embarrassing when the backup appliance vendor accidentally deleted the decryption tool and had to request it again.

The ransomware attack occurred in the same month that U.S. pipeline operator Colonial Pipeline paid $4.5 million after being hit by the Darkside ransomware and that the Irish health service was also attacked by the Conti ransomware.

LeMagIT had access to negotiations that began on May 4 with an employee with the title IT lead technician at ExaGrid Systems.

The cybercriminals said, “As you already know, we infiltrated your network and stayed in it for more than a month (enough to study all of your documentation), encrypted your file servers, SQL servers, downloaded all important information with a total weight of more than 800GB”.

They went on to explain how they obtained personal information of customers and employees, business contracts, NDA forms, financial data, tax returns, and source code. The initial ransom demand was $7,480,000.

ExaGrid wanted to test the decryption on a sample, so they submitted a snapshot of the front of an ExaGridEX63000E NAS device. The negotiations lasted until May 13. During this time, the attackers shared files with ExaGrid via Sendspace to demonstrate what they could access. Some of the archives shared in this manner were not destroyed for some time after the talks concluded and could still be downloaded.

The price was reduced by $1 million by the Conti negotiator 

The cybercriminal negotiator appeared to have more experience than the others. She reacted to ExaGrid's initial offer of more than $1 million by saying: “Thank you for your efforts. This is a fair and reasonable initial offer. We now have the opportunity to negotiate. We are prepared to offer you a discount of $1m. Your fee will now be $6,480,000”.

In contrast to the heavy-handed tactics of previous cyber thieves, the negotiator noted, “We understand that your work here is not easy and requires some effort to convince the members of your board. But, we are still far from agreement”.

After a week, ExaGrid's negotiator increased his offer to $2.2 million. The cybercriminals then lowered their demand to $3 million. At this point, talks became more heated as the two parties tried to reach an agreement as quickly as possible. As a result, a settlement of $2.6 million was quickly reached, and the Bitcoin address indicated that the agreed sum had been paid. The decryption tool was provided through an account at Mega.nz, where the stolen data was stored.

However, two days later, the ExaGrid negotiator requested that the decryption tool be resent since they destroyed it by error. The next day, the cybercriminals made it available for download.

ExaGrid says on its website “ExaGridoffers a unique approach to ensure that attackers cannot compromise the backup data, allowing organisations to be confident that they can restore the affected primary storage and avoid paying ugly ransoms".