ARRL Pays $1 Million Ransom to Restore Encrypted Systems

A recently reported cybersecurity incident now shows that the American Radio Relay League, the so-called National Association for Amateur Radio, paid a $1 million ransom following a ransomware attack this past May. The ransomware attack resulted in the encryption of systems in ARRL, which mandated it to immediately and proactively put the affected systems offline in order to manage the breach. The ARRL took the incident as a high-end ransomware attack managed by an international cyber syndicate.

The data breach, though extremely serious, was contained within only an estimated 150 employees of the ARRL, as per the report submitted by it to the Office of Maine’s Attorney General. The ARRL has since informed those affected through breach notification letters, and it is also revealed that the attack was first noticed on the 14th of May. While the body did not reveal the identity of the attackers at first, it later came to light through sources conversant with the issue that the ransomware gang, Embargo, was behind the attack.

In their notification, ARRL pointed out that they had implemented measures that could prevent further distribution or publication of data, which should be able to infer the ransom payment that they apparently expect them to make. In later communications, the station manager said that ARRL had paid the ransom, specifically noting that it was not “because of a concern for data disclosure but to obtain a “decryption tool that [the attackers] say is required to restore their systems.” Indeed, the ransom demand was substantial, and there had been communication with the attacker earlier about the nature of ARRL as a non-profit and limited organization financially.

The attacker obviously operated under a misapprehension here. This negotiation process was so much tensed and protracted because of the constant strategic interaction that went on between the ARRL and the attackers.  After a reasonable period of denial and resistance, ARRL agreed to make a payment, which was $1 million, but a large part of the money, along with the restoration cost, was accommodated from the insurance policy that ARRL possessed.  This financial accommodation was crucial in providing some kind of relief in the burden associated with the payment of the ransom and enabled the organization to focus on the recovery process.

This has been ongoing, with ARRL getting back into its systems. With all critical infrastructure now restored, the organization says it will take another two months to fully reintegrate all the servers affected, notably those used for internal purposes. Restoration is now being done per new guidelines and standards on infrastructure developed to avoid such in the future.