In recent years, we’ve seen countless examples of organizations either agreeing to pay ransomware demands or firmly refusing to negotiate. But a new case has drawn attention for taking an unusually proactive approach. Instead of caving to the attackers’ demands, the CEO of a company targeted by ransomware decided to redirect the ransom amount toward cybercrime research conducted by a coalition of major tech firms and global law-enforcement agencies.
Checkout.com’s CTO, Mariano Albera, confirmed that the company refused to pay the ransom demanded by the threat actors. Rather than funding criminal activity, he chose to invest the equivalent sum in cybersecurity research aimed at preventing future attacks—both for his company and the broader digital ecosystem.
Albera also issued an apology to Checkout.com customers and partners for the disruption caused by the attack. He assured stakeholders that the vulnerabilities enabling the double-extortion incident have been fully addressed. Additionally, external security specialists have been brought in to analyze and contain any data that may have been exfiltrated during the breach.
While the exact ransom amount requested by the Shiny Hunters ransomware group remains undisclosed, Albera made it clear that Checkout.com has no intention of paying. Instead, the company hopes that funding cybercrime research will help curb the growing sophistication of threat actors worldwide.
Early reports suggest the attackers gained access by compromising a server connected to Salesforce.com, enabling them to extract credentials tied to the payment gateway’s environment.
Cybersecurity experts frequently warn against paying ransoms. Doing so not only emboldens cybercriminals but also offers no guarantee that victims will receive a working decryption key. Surveys show that even when a key is provided, it successfully recovers only about 85% of encrypted data. The remaining data often stays corrupted, forcing companies to rely on backups—or, in some cases, completely rebuild affected systems.
Compounding this issue is a rising trend: many organizations are now being targeted two or even three times within the same year. Once criminals identify a victim willing to pay, they often return, trapping companies in a cycle of repeated extortion.
The Shiny Hunters group, active since 2020, has built a notorious reputation through a long string of high-profile breaches. Their victims have included major brands such as Microsoft, AT&T, Mashable, Pixlr, Ticketmaster, Qantas, Jaguar Land Rover, and even luxury houses like Louis Vuitton, Dior, and Tiffany. They have also been known to collaborate with other infamous collectives, including Scattered Spider and Lapsus$, making them one of the more persistent and disruptive threat actors operating today.
Join our LinkedIn group Information Security Community!
