Image: Midjourney

The American Radio Relay League (ARRL) confirmed it paid a $1 million ransom to obtain a decryptor to restore systems encrypted in a May ransomware attack.

After discovering the incident, the National Association for Amateur Radio took impacted systems offline to contain the breach. One month later, it said its network was hacked by a “malicious international cyber group” in a “sophisticated network attack.”

ARRL later alerted impacted individuals via data breach notification letters that it detected a “sophisticated ransomware incident” on May 14 after its computer systems were encrypted. In a July filing with the Office of Maine’s Attorney General, ARRL said the resulting data breach affected only 150 employees.

While the organization has not yet linked the attack to a specific ransomware operation, sources told BleepingComputer that the Embargo ransomware gang was behind the breach.

ARRL also said in the breach notifications that they’ve already taken “all reasonable steps to prevent [..] data from being further published or distributed,” which was interpreted at the time as a veiled confirmation that a ransom was or will likely be paid.

$1 million ransom covered by insurance

On Wednesday, ARRL revealed that it had indeed paid the attackers a ransom not to prevent stolen data from being leaked online but to obtain a decryption tool to restore systems impacted during the attack on the morning of May 15.

“The ransom demands by the TAs, in exchange for access to their decryption tools, were exorbitant. It was clear they didn’t know, and didn’t care, that they had attacked a small 501(c)(3) organization with limited resources,” it said in a statement published yesterday.

“Their ransom demands were dramatically weakened by the fact that they did not have access to any compromising data. It was also clear that they believed ARRL had extensive insurance coverage that would cover a multi-million-dollar ransom payment,”

“After days of tense negotiation and brinkmanship, ARRL agreed to pay a $1 million ransom. That payment, along with the cost of restoration, has been largely covered by our insurance policy.”

ARRL says that most systems have already been restored and anticipates that it will take up to two months to bring back all affected servers (mostly minor servers for internal use) under “new infrastructure guidelines and new standards.”