Full Report
Checkout.com will instead donate the amount to fund cybercrime research Ransomware is a huge business, because affected orgs keep forking over money to get their data back. However, instead of paying a ransom demand after getting hit by extortionists last week, payment services provider Checkout.com donated the demanded amount to fund cybercrime research.…
Analysis Summary
# Incident Report: Checkout.com Ransomware Extortion Attempt
## Executive Summary
Payment services provider Checkout.com was targeted by extortionists who claimed to have stolen data and demanded a ransom last week (prior to November 13, 2025). The attackers gained access via a legacy, improperly decommissioned third-party cloud file storage system used primarily in 2020 and earlier. Checkout.com refused to pay the ransom, instead apologizing, taking full responsibility, and announcing a decision to donate the demanded ransom amount to cybercrime research centers.
## Incident Details
- Discovery Date: Not explicitly stated, but implied to be when the extortionists contacted the company "last week."
- Incident Date: Occurred "last week" prior to November 13, 2025.
- Affected Organization: Checkout.com
- Sector: Payment Services Provider / Financial Technology
- Geography: Not specified, implied global operations given the nature of the business.
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but the compromised system was active in 2020 and prior years.
- Vector: Compromise of a "legacy third-party cloud file storage system" that was not properly decommissioned.
- Details: This system was used by Checkout.com for "internal operational documents and merchant onboarding materials" before 2021.
### Lateral Movement
- Details: Not specified in the provided text, other than accessing data within the compromised cloud database.
### Data Exfiltration/Impact
- Details: Claimed theft of data, specifically internal operational documents and merchant onboarding materials from the legacy storage. Less than 25% of the existing merchant base was affected. Crucially, the payment processing platform, merchant funds, and card numbers were *not* impacted.
### Detection & Response
- Date/Time: Extortionists contacted the company "last week." Internal investigation launched immediately following contact.
- Details: CTO Mariano Albera announced the decision on Wednesday (approx. Nov 12, 2025) not to pay. Company initiated contact with impacted customers, launched an internal investigation, and is working with law enforcement and regulators.
## Attack Methodology
- Initial Access: Exploitation or compromise of a legacy, non-decommissioned third-party cloud file storage system.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed.
- Discovery: Not detailed.
- Lateral Movement: Movement within the compromised cloud database environment.
- Collection: Gathering of internal operational documents and merchant onboarding materials.
- Exfiltration: Implied data theft, leading to the ransom demand.
- Impact: Extortion attempt based on stolen documentation.
## Impact Assessment
- Financial: Ransom demand amount unknown; Checkout.com chose to incur the cost of the donation instead of paying the ransom.
- Data Breach: Internal operational documents and merchant onboarding materials related to less than 25% of the merchant base.
- Operational: No impact on the core payment processing platform, merchant funds, or card numbers.
- Reputational: Attempted management through transparency, taking full responsibility, and public apology by the CTO.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: None provided.
- Behavioral indicators: None provided.
## Response Actions
- Containment measures: Internal investigation launched immediately upon contact.
- Eradication steps: System decommission status/remediation actions on the legacy cloud storage are implied, though not explicitly listed as a security step.
- Recovery actions: Company is in the process of contacting impacted customers.
## Lessons Learned
- The critical risk posed by legacy, decommissioned infrastructure, even if third-party utilized.
- The importance of thorough asset management to ensure all old cloud storage instances are properly retired and secured.
- Commitment to transparency and refusal to fund criminal enterprises can be a strategic response, despite the breach itself.
## Recommendations
- Immediately inventory and decommission all legacy cloud storage systems and third-party environments that are no longer in active production use.
- Conduct a comprehensive audit of third-party access protocols and termination procedures.
- Continue to foster a culture of transparency regarding security incidents with partners and regulators.