This company paid a ransom demand. Hackers leaked its data anyway

It's always recommended that ransomware victims don't give in to ransom demands - and this real-life case demonstrates why.
Written by Danny Palmer, Senior Writer
Image: Getty/5m3photos

A victim of a ransomware attack paid to restore access to their network – but the cyber criminals didn't hold up their end of the deal. 

The real-life incident, as detailed by cybersecurity researchers at Barracuda Networks, took place in August 2021, when hackers from BlackMatter ransomware group used a phishing email to compromise the account of a single victim at an undisclosed company.

From that initial entry point, the attackers were able to expand their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they were able to install hacking tools and steal sensitive data. 

SEE: Ransomware: Why it's still a big threat, and where the gangs are going next

Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received.  

The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded, to be paid in Bitcoin. 

Cybersecurity agencies warn that despite networks being encrypted, victims shouldn't pay ransom demands for a decryption key because this only shows hackers that such attacks are effective.

Despite this, the unidentified organisation chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later – providing a lesson in why you should never trust cyber criminals. 

Cybersecurity responders from Barracuda helped the victim isolate the infected systems, bring them back online, and restore them from backups.

Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA was what helped the attackers gain and maintain access to accounts in the first place. 

A few months after the incident, BlackMatter announced it was shutting down, with the recommendation that those using the ransomware-as-a-service scheme should switch to LockBit

According to Barracuda's report, ransomware attacks are on the rise, with more than double the number of attacks targeting key sectors, including healthcare, education and local government

Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the course of the last year. However, the report suggests there are reasons for optimism. 

"The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure," it said. 

SEE: These are the biggest cybersecurity threats. Make sure you aren't ignoring them

In addition to applying MFA, organisations can take other actions to help secure their network against ransomware and cyberattacks, including setting up network segmentation, disabling macros to prevent attackers exploiting them in phishing emails, and ensuring backups are stored offline. 

It's also recommended that organisations apply security updates as quickly as possible to stop attackers targeting known vulnerabilities to gain access to accounts and networks. 


Editorial standards