Grafana refuses to pay ransom after codebase theft

Analytics company Grafana Labs confirmed this weekend that hackers were able to breach their systems and download the company’s codebase. 

On Saturday night, the company released a statement confirming the incident and outlining their decision not to pay a ransom issued by the hackers behind the attack. 

“We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase,” the company said. 

“Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations.”

Grafana Labs said it is still in the midst of an investigation but believes it has identified the source of the credential leak. The compromised credentials have been invalidated and the company took other measures to secure their systems, according to the statement. 

The incident emerged on Friday when an extortion group known as CoinbaseCartel claimed to have stolen information from Grafana Labs. Grafana is a popular analytics and visualization web application that allows its more than 7,000 customers to create dashboards that track metrics and other information.

Grafana Labs confirmed that the hackers attempted to blackmail them to prevent the release of its codebase but they refused to pay based on longstanding FBI guidance that paying cybercriminals does not guarantee anything. 

“We’ve determined the appropriate path forward is to not pay the ransom. As part of Grafana Labs’ standard security practices, we will share additional information from our post-incident review when our investigations are complete,” the company said. 

Grafana Labs did not respond to questions about what they will do if or when the codebase is released or whether the hackers have been fully evicted from their systems. 

CoinbaseCartel emerged last year as a data theft offshoot of the larger Scattered Lapsus$ Hunters (SLSH) cybercriminal collective. Cybersecurity experts at Halcyon said the group has attempted to extort more than 100 companies across several industries since September. 

The group does not use ransomware during attacks, instead relying on stolen credentials and social engineering to gain access to victim networks.