Cyber Incident Victim: Exagrid
Date:
May 2021
Location:
United States of America
Summary
A backup appliance supplier fell victim to a Conti ransomware attack after cybercriminals infiltrated its network for over a month, encrypting critical servers and exfiltrating sensitive data including client and employee information, financial records, contracts, and source code. The attackers initially demanded $7.48 million but negotiated down to $2.6 million, paid in Bitcoin, following exchanges where they demonstrated access to stolen files. After receiving the decryption tool, the company accidentally deleted it and had to request a reupload. The incident was particularly notable given the victim’s public emphasis on ransomware resilience, including marketed solutions to avoid paying ransoms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early May 2021, backup appliance supplier ExaGrid fell victim to a Conti ransomware attack after attackers infiltrated its network for over a month prior to encryption. The attackers initiated contact on May 4, 2021, with an ExaGrid IT lead technician, revealing they had compromised file servers, SQL servers, and exfiltrated more than 800GB of sensitive data including client and employee personal information, commercial contracts, non-disclosure agreements, financial records, tax returns, and source code. They demanded an initial ransom of $7.48 million, substantiating their claims by providing a photograph of an ExaGrid EX63000E NAS appliance and sharing samples of stolen files via Sendspace. During negotiations, the attackers demonstrated access to historical data archives that remained downloadable even after discussions concluded. ExaGrid sought to verify the decryption capability by testing it on a sample file before proceeding with further negotiations.
The ransomware actors displayed unusual negotiation tactics, acknowledging ExaGrid’s initial $1 million counteroffer as "fair and reasonable" before reducing their demand to $6.48 million. After a week of discussions, ExaGrid increased its offer to $2.2 million, prompting the attackers to lower their demand to $3 million. The parties rapidly negotiated a final settlement of $2.6 million, paid in 50.75 bitcoins on May 13. Conti provided a decryption tool via Mega.nz, and both parties deleted the stolen data and associated accounts immediately after payment. However, ExaGrid accidentally deleted the decryption tool two days later and requested a replacement, which the attackers supplied the following day. The incident proved particularly damaging to ExaGrid’s reputation as a vendor promoting ransomware-resistant backup solutions, having recently launched a restore product for ransomware recovery and won multiple industry awards. The attack coincided with high-profile Conti and DarkSide ransomware incidents affecting Colonial Pipeline and Ireland’s health service, though ExaGrid declined to comment publicly when contacted about the breach.