{ "id": "4080f098-b9a2-40c6-bfbe-4f94f23ede3a", "created_at": "2026-04-06T00:19:17.509273Z", "updated_at": "2026-04-10T03:30:33.343034Z", "deleted_at": null, "sha1_hash": "959bfd85d4a1622e5fd7b17d67ada358fedea269", "title": "Exagrid pays $2.6m to Conti ransomware attackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 423230, "plain_text": "Exagrid pays $2.6m to Conti ransomware attackers\r\nBy Valéry Rieß-Marchive\r\nPublished: 2021-06-01 · Archived: 2026-04-05 15:26:54 UTC\r\njamdesign - stock.adobe.com\r\njamdesign - stock.adobe.com\r\nBackup appliance specialist hit by Conti ransomware in May with cyber criminals\r\ndownloading employee and customer data, confidential contracts and source code\r\nBy\r\nValéry Rieß-Marchive,\r\nAntony Adshead, Computer Weekly\r\nPublished: 01 Jun 2021 13:00\r\nBackup appliance supplier ExaGrid has paid a $2.6m ransom to cyber criminals that targeted the company with\r\nConti ransomware.\r\nThe ransom was paid in the form of 50.75 bitcoins on 13 May, according to information gained by\r\nComputerWeekly.com’s French sister publication LeMagIT.\r\nAccession to the ransomware attacker’s demands was made more embarrassing when the backup appliance\r\nsupplier – which makes a big play of its strengths against ransomware – accidentally deleted the decryption tool\r\nand had to ask for it again.\r\nSubmission to the ransomware attack came in the same month as US pipeline operator Colonial Pipeline paid\r\n$4.5m after being hit by Darkside ransomware and the Irish health service was targeted, also by Conti\r\nransomware.\r\nhttps://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers\r\nPage 1 of 5\n\nThe negotiations, to which LeMagIT had access, began on 4 May with a person with the title “IT lead technician\r\nwith ExaGrid Systems”.\r\nThe cyber criminals got straight to the point, and said: “As you already know, we infiltrated your network and\r\nstayed in it for more than a month (enough to study all of your documentation), encrypted your file servers, SQL\r\nservers, downloaded all important information with a total weight of more than 800GB.”\r\nThey went on to describe how they had got hold of the personal data of clients and employees, commercial\r\ncontracts, NDA forms, financial data, tax returns and source code. The initial ransom demanded was $7,480,000.\r\nExaGrid wanted to test the decryption on a sample, and a photo of the front of an ExaGridEX63000E NAS box\r\nwas provided. Negotiations continued and lasted until 13 May. All through this period, the attackers shared files\r\nwith ExaGrid via Sendspace to show what they had been able to access. Some archives shared in this way had not\r\nbeen deleted for some time after negotiations finished and could still be downloaded.\r\nThe cyber criminal’s negotiator seemed more experienced than others. After an initial offer from ExaGrid of more\r\nthan $1m, she responded: “Thank you for your efforts. This is a fair and reasonable initial offer. We now have the\r\nopportunity to negotiate. We are prepared to offer you a discount of $1m. Your fee will now be $6,480,000.”\r\nIn contrast to the heavy-handed approach of other cyber criminals, the negotiator added: “We understand that your\r\nwork here is not easy and requires some effort to convince the members of your board. But, we are still far from\r\nagreement.”\r\nA week later, the ExaGrid negotiator raised their offer to $2.2m. The cyber criminals then reduced their demand to\r\n$3m. At that point, the exchanges intensified as the two parties sought to quickly reach an accord. That came soon\r\nwith an agreement at $2.6m, and the bitcoin address indicated that the negotiated amount was paid. The\r\ndecryption tool was provided via an account at Mega.nz, where the stolen data was stored. The data and the\r\naccounts were immediately deleted.\r\nBut then, two days later, the ExaGrid negotiator asked for the decryption tool to be sent again because “we deleted\r\nit by accident”. The cyber criminals made it available for download the next day.\r\nThe attack is particularly embarrassing for Exagrid, which last December announced it had won seven industry\r\nawards, as well as the launch of a new solution for restores following ransomware attacks.\r\nOn its website, on the subject of ransomware, ExaGrid says: “ExaGridoffers a unique approach to ensure that\r\nattackers cannot compromise the backup data, allowing organisations to be confident that they can restore the\r\naffected primary storage and avoid paying ugly ransoms.”\r\nExaGrid has been asked for comment, but was not available at time of publishing.\r\nNext Steps\r\nExaGrid revealed as latest Conti ransomware casualty\r\nRead more on Data centre hardware\r\nhttps://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers\r\nPage 2 of 5\n\nBroken decryptor leaves Sicarii ransomware victims adrift\r\nBy: Alex Scroxton\r\nStreisand effect: Businesses that pay ransomware gangs are more likely to hit the headlines\r\nhttps://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers\r\nPage 3 of 5\n\nBy: Bill Goodwin\r\nRansomware negotiation: Does it work, and should you try it?\r\nBy: Mary Pratt\r\nGuidePoint talks ransomware negotiations, payment bans\r\nhttps://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers\r\nPage 4 of 5\n\nBy: Arielle Waldman\r\nSource: https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers\r\nhttps://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers\r\nPage 5 of 5\n\n https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers \nBy: Bill Goodwin \nRansomware negotiation: Does it work, and should you try it?\nBy: Mary Pratt \nGuidePoint talks ransomware negotiations, payment bans\n Page 4 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.computerweekly.com/news/252501665/Exagrid-pays-26m-to-Conti-ransomware-attackers" ], "report_names": [ "Exagrid-pays-26m-to-Conti-ransomware-attackers" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434757, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/959bfd85d4a1622e5fd7b17d67ada358fedea269.pdf", "text": "https://archive.orkl.eu/959bfd85d4a1622e5fd7b17d67ada358fedea269.txt", "img": "https://archive.orkl.eu/959bfd85d4a1622e5fd7b17d67ada358fedea269.jpg" } }