Anti-ransomware biz ExaGrid ‘paid $2.6m ransomware demand’

Computer storage supplier ExaGrid has attempted to downplay a report that it paid nearly $3m to criminals who infected its corporate network with ransomware.

ExaGrid supplies backup disk storage equipment that features so-called retention time-lock technology with immutable deduplication objects. This is supposed to thwart ransomware attacks in which malware infects not just an organization’s primary storage but also backup appliances, encrypts file systems, and demands a payment to unscramble that data.

On Monday it was reported ExaGrid had been hit by the Conti ransomware gang, and not only was 800GB of confidential internal information – including client and personnel records, contracts, and source code – encrypted but also the crooks exfiltrated the data and demanded millions of dollars to keep it secret.

ExaGrid CEO Bill Andrews

In response to this news, ExaGrid CEO and President Bill Andrews told Blocks & Files: “As you know anyone can create and write anything they want these days and publish it. There is not much we can do about that. ExaGrid is fully operational and it is business as usual.”

When we pushed ExaGrid to confirm it was attacked, and whether or not a ransom was paid, Andrews said: “ExaGrid does not discuss its network security, good or bad. We can say that the company is fully operational and is doing business as usual.” 

According to a report, the crooks broke into ExaGrid’s internal systems and grabbed copies of sensitive documents. They then contacted the business on May 4 to demand $7.5m in Bitcoin to unscramble the files and keep quiet about the whole thing, it is claimed.

One of the extortionists was said to have messaged an IT lead at ExaGrid: “As you already know, we infiltrated your network and stayed in it for more than a month (enough to study all your documentation), encrypted your file servers; SQL servers, downloaded all important information with a total weight of more than 800 GB: personal data of clients (home addresses, SSN phone numbers of the contract), employees (SSN, home addresses, employment contracts, scans of personal documents, phone numbers), contracts with partners, NDA forms, customer bases, consolidated financial statements, payroll, tax returns, settlements with partners, bank statements, source code and etc.

“The good news is that we are businessmen. We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your business. The amount at which we are ready to meet you and keep everything as collateral is $7,480,000.”

Judging from what’s said to be screenshots of the ensuing conversation, the ExaGrid staffer replied they were able to, with the board of directors’ authorization, offer $2.2m. “If we do not make an agreement for this amount, we know we risk you publishing our data but we also know you risk losing 2.2 million dollars for your time and efforts,” the company’s representative apparently wrote. “Can we make a deal today?”

The extortionists shot back with a demand for $3m. However, by May 13, negotiations between the crooks and ExaGrid brought the extortion demand down to $2.6m, which was paid using Bitcoin, it is reported.