There are indications that technology company Garmin has paid a US$10 million ($14m) - with an NZ company helping it retrieve its data.
On July 23, Garmin was hit by a cyber attack that saw some of its files encrypted - cutting users of its fitness trackers from the online Strava tool that is so essential for bragging about distance covered, and small plane pilots from its FlyGarmin navigation service.
The US-based multinational has now started to restore service.
Garmin - which did not immediately respond to a request for comment - has been criticised for its lack of communication over the hack.
But security publication BleepingComputer says Garmin staff have leaked the ransom amount.
Employees also confirmed that Garmin had received a decryption tool from Nelson-based Emisoft to help it retrieve files.
"I cannot comment on specific cases, but generally speaking, Emsisoft has no involvement whatsoever in negotiating or transacting ransom payments. We simply create decryption tools," Emsisoft threat analyst Brett Callow told the Herald this morning.
Emsisoft commonly makes custom ransomware decryptors when the tools supplied by the threat actors are buggy or if companies are concerned that they may contain backdoors.
"If the ransom has been paid but the attacker-provided decryptor is slow or faulty, we can extract the decryption code and create a custom-built solution that decrypts up to 50 percent faster with less risk of data damage or loss," Emsisoft's ransomware recovery services page states.
Emsisoft was created in 2003 by Austrian ex-pat Christian Mairoll who told Business Insider he immigrated to New Zealand in search of warmer winters and a more relaxed lifestyle.
Today, from his Nelson property, he manages some 40 staff in 20 countries - all of whom work at home.
Police advice: Don't pay up
NZ Police and Crown cybercrime agency Cert NZ recommend that those hit by ransomware do not pay. Data may not be unencrypted or returned as promised, and the proceeds often go to criminal gangs, helping to sustain operations in other areas such as drug and human trafficking.
Copies of data might not be destroyed, but instead used for blackmail, and returned data can be booby-trapped to allow future access to an organisation's network, Cert NZ deputy director Declan Ingram recently told the Herald.
For their part, Ransomware gangs like to exert pressure by releasing small batches of files onto the internet.
For example, recent ransomware victim Fisher & Paykel Appliances saw sensitive budget and planning files made public (but gritted its teeth and did not pay up).
In Garmin's case, it had a more urgent need to pay up, or restore its systems. While losing access to the company's Strava service was annoying for fitness freaks, issues with its flight navigation products had a sharper edge.
"I rely on these to not hit mountains, so have a vested interest," Auckland small-plane pilot Vaughn Davis told the Herald.