Ransomed CTO falls on sword, refuses to pay extortion demand
(2025/11/13)
- Reference: 1763064171
- News link: https://www.theregister.co.uk/2025/11/13/ransomed_cto_refuses_extortion_demand/
- Source link:
Digitial extortion is a huge business, because affected orgs keep forking over money to get their data back. However, instead of paying a ransom demand after getting hit by extortionists last week, payment services provider Checkout.com donated the demanded amount to fund cybercrime research.
And - perhaps even more unusual than refusing to pay the extortionists' demand - Chief Technology Officer Mariano Albera said that his company takes "full responsibility" for the security incident, and apologized for the circumstances that allowed the breach to happen.
"We are sorry. We regret that this incident has caused worry for our partners and people," Albera [1]said in a Wednesday blog.
[2]
"We will not be extorted by criminals," he added. "We will not pay this ransom."
[3]
[4]
The CTO said [5]ShinyHunters contacted his company last week, claimed to have stolen data, and demanded a ransom. Albera didn't specify how much money the criminals wanted in exchange for files, and Checkout.com declined to comment on this when contacted by The Register .
In other ransomware news…
Ransomware remains a profitable biz, albeit a criminal one, according to Check Point Research's Q3 report.
The firm tracked a record-high [6]85 active extortion groups last quarter with 14 new groups emerging in Q3. It also counted 1,592 new victims - keep in mind, these are orgs posted on data leak sites, so don't always provide a complete or accurate picture of the problem - which represents a 25 percent increase year-over-year.
While [7]Qilin led the quarter and averaged 75 victims per month posted on its name-and-shame site, LockBit came in second after reappearing in September, after [8]a law enforcement takedown , with a new [9]LockBit 5.0 variant .
Both of these crews are also allegedly part of the [10]DragonForce "cartel," although the researchers found "no evidence of real collaboration."
After launching its own internal investigation, the payment services firm determined that the crooks had broken into a "legacy third-party cloud file storage system" that wasn't properly decommissioned and was used in 2020 and prior years.
Again, no word on which third-party storage system ShinyHunters breached to gain access to [11]Checkout.com 's data, but this is the crime gang that broke into [12]Snowflake customers' databases last year. More recently, the crew [13]breached dozens of orgs' [14]Salesforce databases .
According to Albera, Checkout.com used this compromised cloud database "for internal operational documents and merchant onboarding materials" in 2020 and prior years, and the intrusion affected less than 25 percent of its existing merchant base.
[15]
"This incident has not impacted our payment processing platform," he wrote. "The threat actors do not have, and never had, access to merchant funds or card numbers."
In addition to apologizing to its customers and partners for the security snafu, the company is in the process of contacting impacted customers and is "working closely with law enforcement and the relevant regulators."
Plus, instead of caving to the crims' demand, Albera said the company will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support cybercrime research.
[16]Oracle's masterclass in breach comms: Deny, deflect, repeat
[17]3 more infamous cybercrime crews team up to 'maximize income' in 'challenging' ransomware biz
[18]Google says the group behind last year's Snowflake attack slurped data from one of its Salesforce instances
[19]NHS supplier ends probe into ransomware attack that contributed to patient death
"Security, transparency and trust are the foundation of our industry," he wrote. "We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy."
While we anticipate a full post-mortem in the coming weeks after [20]Checkout.com finishes its investigation, we commend the company and its execs for taking ownership, apologizing, and not funding the criminals' business (although we do understand that choice - to [21]pay or not to pay - depends on several factors including the victim org's sector and can ultimately become a [22]life or death decision ).
[23]
But after all of the [24]lies , [25]damned lies , and [26]marketing BS that we typically see after a ransomware attack or any other security incident, it's refreshing to read a bit of truth and transparency from Checkout.com, and we hope other companies take note. ®
Correction: Although thieves stole data from Checkout.com, no ransomware was involved.
Get our [27]Tech Resources
[1] https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[6] https://blog.checkpoint.com/research/the-state-of-ransomware-in-q3-2025/
[7] https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/
[8] https://www.theregister.com/2024/02/20/lockbit_down_operation_cronos/
[9] https://www.theregister.com/2025/09/26/lockbits_new_variant_is_most/
[10] https://www.theregister.com/2025/10/08/dragonforce_qilin_lockbit_collab/
[11] http://checkout.com
[12] https://www.theregister.com/2025/05/15/snowflake_ciso_interview/
[13] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[14] https://www.theregister.com/2025/08/06/google_salesforce_attacks/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[17] https://www.theregister.com/2025/10/08/dragonforce_qilin_lockbit_collab/
[18] https://www.theregister.com/2025/08/06/google_salesforce_attacks/
[19] https://www.theregister.com/2025/11/13/synnovis_qilin_investigation/
[20] http://checkout.com
[21] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/
[22] https://www.theregister.com/2025/11/13/synnovis_qilin_investigation/
[23] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[24] https://www.theregister.com/2016/12/14/one_billion_yahoo_accounts_stolen/
[25] https://www.theregister.com/2025/03/25/oracle_breach_update/
[26] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[27] https://whitepapers.theregister.com/
And - perhaps even more unusual than refusing to pay the extortionists' demand - Chief Technology Officer Mariano Albera said that his company takes "full responsibility" for the security incident, and apologized for the circumstances that allowed the breach to happen.
"We are sorry. We regret that this incident has caused worry for our partners and people," Albera [1]said in a Wednesday blog.
[2]
"We will not be extorted by criminals," he added. "We will not pay this ransom."
[3]
[4]
The CTO said [5]ShinyHunters contacted his company last week, claimed to have stolen data, and demanded a ransom. Albera didn't specify how much money the criminals wanted in exchange for files, and Checkout.com declined to comment on this when contacted by The Register .
In other ransomware news…
Ransomware remains a profitable biz, albeit a criminal one, according to Check Point Research's Q3 report.
The firm tracked a record-high [6]85 active extortion groups last quarter with 14 new groups emerging in Q3. It also counted 1,592 new victims - keep in mind, these are orgs posted on data leak sites, so don't always provide a complete or accurate picture of the problem - which represents a 25 percent increase year-over-year.
While [7]Qilin led the quarter and averaged 75 victims per month posted on its name-and-shame site, LockBit came in second after reappearing in September, after [8]a law enforcement takedown , with a new [9]LockBit 5.0 variant .
Both of these crews are also allegedly part of the [10]DragonForce "cartel," although the researchers found "no evidence of real collaboration."
After launching its own internal investigation, the payment services firm determined that the crooks had broken into a "legacy third-party cloud file storage system" that wasn't properly decommissioned and was used in 2020 and prior years.
Again, no word on which third-party storage system ShinyHunters breached to gain access to [11]Checkout.com 's data, but this is the crime gang that broke into [12]Snowflake customers' databases last year. More recently, the crew [13]breached dozens of orgs' [14]Salesforce databases .
According to Albera, Checkout.com used this compromised cloud database "for internal operational documents and merchant onboarding materials" in 2020 and prior years, and the intrusion affected less than 25 percent of its existing merchant base.
[15]
"This incident has not impacted our payment processing platform," he wrote. "The threat actors do not have, and never had, access to merchant funds or card numbers."
In addition to apologizing to its customers and partners for the security snafu, the company is in the process of contacting impacted customers and is "working closely with law enforcement and the relevant regulators."
Plus, instead of caving to the crims' demand, Albera said the company will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support cybercrime research.
[16]Oracle's masterclass in breach comms: Deny, deflect, repeat
[17]3 more infamous cybercrime crews team up to 'maximize income' in 'challenging' ransomware biz
[18]Google says the group behind last year's Snowflake attack slurped data from one of its Salesforce instances
[19]NHS supplier ends probe into ransomware attack that contributed to patient death
"Security, transparency and trust are the foundation of our industry," he wrote. "We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy."
While we anticipate a full post-mortem in the coming weeks after [20]Checkout.com finishes its investigation, we commend the company and its execs for taking ownership, apologizing, and not funding the criminals' business (although we do understand that choice - to [21]pay or not to pay - depends on several factors including the victim org's sector and can ultimately become a [22]life or death decision ).
[23]
But after all of the [24]lies , [25]damned lies , and [26]marketing BS that we typically see after a ransomware attack or any other security incident, it's refreshing to read a bit of truth and transparency from Checkout.com, and we hope other companies take note. ®
Correction: Although thieves stole data from Checkout.com, no ransomware was involved.
Get our [27]Tech Resources
[1] https://www.checkout.com/blog/protecting-our-merchants-standing-up-to-extortion
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/
[6] https://blog.checkpoint.com/research/the-state-of-ransomware-in-q3-2025/
[7] https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/
[8] https://www.theregister.com/2024/02/20/lockbit_down_operation_cronos/
[9] https://www.theregister.com/2025/09/26/lockbits_new_variant_is_most/
[10] https://www.theregister.com/2025/10/08/dragonforce_qilin_lockbit_collab/
[11] http://checkout.com
[12] https://www.theregister.com/2025/05/15/snowflake_ciso_interview/
[13] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[14] https://www.theregister.com/2025/08/06/google_salesforce_attacks/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[17] https://www.theregister.com/2025/10/08/dragonforce_qilin_lockbit_collab/
[18] https://www.theregister.com/2025/08/06/google_salesforce_attacks/
[19] https://www.theregister.com/2025/11/13/synnovis_qilin_investigation/
[20] http://checkout.com
[21] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/
[22] https://www.theregister.com/2025/11/13/synnovis_qilin_investigation/
[23] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRZjBankjdKtgQOODnQ5AQAAAUU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[24] https://www.theregister.com/2016/12/14/one_billion_yahoo_accounts_stolen/
[25] https://www.theregister.com/2025/03/25/oracle_breach_update/
[26] https://www.theregister.com/2025/04/02/oracle_breach_disaster_planning/
[27] https://whitepapers.theregister.com/
Bad things happen. And once they've happened, how you respond is important.
Anonymous Coward
Exactly.
Which is why I still use Amazon - always put things right immediately.
Re: Bad things happen. And once they've happened, how you respond is important.
cyberdemon
I commend the CTO's response, but nevertheless it sounds as if their system was a leaky "Bucket" of insecurity...
The manufacturer of buckets may be at least partially culpable for selling buckets which were leaky by default
Chief Technology Officer Mariano Albera said that his company takes "full responsibility"
Press any key
A principled response from the victim. And that's what they are, a victim.
They are doing the right thing with their money. The hackers are doing the wrong thing and they are the people that should be taking the blame.
Yes, I'm ranting, I'm tired of the victim blaming. Security shouldn't be difficult and expensive; it wouldn't be if hackers weren't hacking.
Yes, lock the front door, close the windows but you shouldn't need bars on the windows and shutters on the doors. And that's because burglars shouldn't burglar. If I get burgled, I'm a victim.
Rant over, may the down votes flow.
Re: Chief Technology Officer Mariano Albera said that his company takes "full responsibility"
Anonymous Coward
> you shouldn't need bars on the windows and shutters on the doors.
This is kind of a rich world idea. In places where poverty is high, you absolutely do. The internet has connected formerly secure privileged enclaves, to the whole of the rest of the world, which is not like that, and never was.
None of these companies would consider physically moving into the shadiest barrio in the world, without employing 24/7 armed security, fences, gates, and ongoing bribes to local powers to keep trouble away.
Yet the internet brings all those barrios to a router near you, and then we wait to see if anything bad happens.
Re: Chief Technology Officer Mariano Albera said that his company takes "full responsibility"
John Robson
> In places where poverty is high, you absolutely do
No - in places where poverty is high you work to improve the lives of those who are less fortunate.
Good response... and that's a rare thing
Bad things happen. And once they've happened, how you respond is important.
I've read many a response by companies such as this to incidents such as this and, more often than not, I'm left with the feeling that I would never choose to use them in the future. The misdirection of "sophisticated attackers".. the "sorry for any inconvenience to our customers", the whole "security is our number one focus" or "our customers are important to us".
But a response such as this? OK, would prefer not to be reading it, but if it had involved me, I'd think I'd feel a little more reassured rather than less.