American Radio Relay League pays $1M to threat actors after ransomware attack


The American Radio Relay League (ARRL) has paid threat actors $1 million after the association suffered a ransomware attack in May 2024.

ARRL, an amateur radio association in the US, “is a noncommercial organization of radio amateurs” founded in 1914. The association has around 160,000 members, a budget of approximately $14 million, and roughly 120 employees.

In May 2024, threat actors attacked the association, using novel information they had bought on the dark web to attack its systems.

Threat actors “accessed headquarters on-site systems and most cloud-based systems,” ARRL said in a news report discussing the incident.

During the attack, threat actors used malware that affected various systems, from desktops and laptops to Windows and Linux-based servers.

“Despite the wide variety of target configurations, the threat actors seemed to have a payload that would host and execute encryption or deletion of network-based IT assets, as well as launch demands for a ransom payment, for every system,” ARRL said.

On the morning of May 15th, 2024, staff reportedly came into work and could tell that something was wrong.

“It was immediately apparent that ARRL had become the victim of an extensive and sophisticated ransomware attack,” the association recalls.

ARRL engaged with the Federal Bureau of Investigations (FBI), which characterized the attack as “unique,” as the agents working on the case said that they had not witnessed an attack this sophisticated.

The association immediately established a crisis management team and engaged with external experts and law enforcement. But this wasn’t an easy fix, as the threat actors had encrypted ARRL’s systems and expected a ransom payment in return for decryption keys.

“The ransom demands by the threat actors, in exchange for access to their decryption tools, were exorbitant,” ARRL said.

However, the association claims that the threat actors' lack of compromising data on ARRL “dramatically weakened” their ransom demands.

But, after “days of tense negotiation and brinkmanship,” the association agreed to pay $1 million, which ARRL’s insurance provider mostly covered.

It was clear to ARRL that the threat actors believed the association had “extensive insurance coverage that would cover a multi-million dollar ransom payment.” Yet, these threat actors had attacked a “small organization with limited resources.”

It’s unclear whether the threat actors obtained sensitive data from employees or users. However, the association did file a breach notification with the Office of the Maine Attorney General in July 2024, detailing that 150 people had been affected by the attack.

Personal information such as the names, addresses, and Social Security numbers of ARRL employees may have been compromised. However, it’s unknown whether users' data was obtained and exploited.

Since the attack, most of ARRL’s systems have been restored or are pending restoration.

“While we have been in restoration mode, we have also been working to simplify the infrastructure,” the association said. However, this process could take another one or two months to complete.