Image: Midjourney
The American Radio Relay League (ARRL) confirmed it paid a $1 million ransom to obtain a decryptor to restore systems encrypted in a May ransomware attack.
After discovering the incident, the National Association for Amateur Radio took impacted systems offline to contain the breach. One month later, it said its network was hacked by a "malicious international cyber group" in a "sophisticated network attack."
ARRL later alerted impacted individuals via data breach notification letters that it detected a "sophisticated ransomware incident" on May 14 after its computer systems were encrypted. In a July filing with the Office of Maine's Attorney General, ARRL said the resulting data breach affected only 150 employees.
While the organization has not yet linked the attack to a specific ransomware operation, sources told BleepingComputer that the Embargo ransomware gang was behind the breach.
ARRL also said in the breach notifications that they've already taken "all reasonable steps to prevent [..] data from being further published or distributed," which was interpreted at the time as a veiled confirmation that a ransom was or will likely be paid.
$1 million ransom covered by insurance
On Wednesday, ARRL revealed that it had indeed paid the attackers a ransom not to prevent stolen data from being leaked online but to obtain a decryption tool to restore systems impacted during the attack on the morning of May 15.
"The ransom demands by the TAs, in exchange for access to their decryption tools, were exorbitant. It was clear they didn’t know, and didn’t care, that they had attacked a small 501(c)(3) organization with limited resources," it said in a statement published yesterday.
"Their ransom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment,"
"After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy."
ARRL says that most systems have already been restored and anticipates that it will take up to two months to bring back all affected servers (mostly minor servers for internal use) under "new infrastructure guidelines and new standards."
Comments
NoneRain - 1 month ago
Thanks, ARRL, for funding crimes. Without those like you guys, ransomware as we know today wouldn't exist.
JohnC_21 - 1 month ago
CDK supposedly paid $25 million to bring their systems back.
ZeroYourHero - 1 month ago
So NoneRain, you have no idea who they are and their long history of volunteer work during national emergencies do you? Hint: They are not rich. Google them and do about 15 minutes of research then you will feel like a big piece of shiat for your comment, like you should if you have any dignity.
h_b_s - 1 month ago
"So NoneRain, you have no idea who they are and their long history of volunteer work during national emergencies do you? Hint: They are not rich. Google them and do about 15 minutes of research then you will feel like a big piece of shiat for your comment, like you should if you have any dignity."
Immaterial. I'm an American licensed amateur radio operator and would have hit the roof to learn they'd given my dues to some cybercriminal organization regardless. I happen to know exactly what they do and fund. They will NOT be getting money from me in the future.
They apparently didn't have a proper recovery plan in place, ironic considering how much the ARRL harps on disaster preparedness. Outside of financial details they shouldn't be holding anyway, everything the ARRL would have on members is already public information (our licenses are public info, the tests are public pools, and the books/magazines is science and public history) so a threat of revelation wouldn't have held water.
So yeah, I'm a constituent. I'm pissed. And there's no way they're getting my support in the future.
teethlikeglass - 1 month ago
h_b_s and NoneRain. Reread the article. It wasn’t paid with dues but by their insurance company. Additionally ransom is still a crime. This does not mean they made a legal deal and this is over. The hackers are being sought and if possible an arrest and assets returned could happen. While chances are slim it has happened in the past.
ZeroYourHero - 1 month ago
OK h_b_s, if you're legit what's your call sign?
powerspork - 1 month ago
Why was it paid if they "did not have access to any compromising data"? They simply did not want to rebuild their systems from scratch?
h_b_s - 1 month ago
My guess is they didn't have proper backups. I'm more than irritated to find out they likely didn't have an information security and recovery plan in place considering how much the ARRL harps on disaster preparedness in other areas.
Fogmoose - 1 month ago
"Why was it paid if they "did not have access to any compromising data"? They simply did not want to rebuild their systems from scratch?"
You can be sure that the attackers did indeed have compromising data. How do you think dues and publications are paid for? With a credit card 98% of them time.
ZeroYourHero - 1 month ago
Sad, the ARRL works with the good guys volunteering help with communications during emergencies like hurricanes, fires and other large emergencies. It was probably not a choice they wanted to make but if they didn't pay decades of detailed ham radio history would be lost.
thatirish - 1 month ago
Subscriptions are going up again....LOL!
Fogmoose - 1 month ago
I have not been a member for years, and I will certainly not be rejoining after this. I always knew the organization was horribly run, and this only confirms it. Pathetic that in today's world, stupidity like this can still exist.