Meanwhile, back to the article itself...
"...obtained the tool from a third party..."
Er, lemme have a guess: you paid the ransom, didn't you. DIDN'T YOU! Go on, admit it. Just a wild stab in the dark, which is what you should have.
If I'm wrong, I'm wrong.
They really need to stop touting themselves as providers of infosec services.