[BreachExchange] Travel management company CWT hands over $4.5M following ransomware attack

Tue Aug 4 10:25:12 EDT 2020

https://siliconangle.com/2020/08/02/travel-management-company-cwt-hands-4-5m-following-ransomware-attack/

Business travel management company CWT Global B.V. is the latest
company to pay a ransom demand following a ransomware attack.

According to report Friday by Reuters, the company paid $4.5 million
to those behind the ransomware after the attack knocked some 30,000 of
the company’s computers offline.

The hackers are also alleged to have stolen reams of sensitive
corporate files, although the company denies it. CWT is one of the
largest travel companies in the U.S. and ranks fifth on a list of the
top-earning travel companies in the world. Its clients include a third
of the companies on the S&P 500 U.S. stock index.

The ransomware attack is said to have involved Ragnar Locker. Tat form
of ransomware attacks Microsoft Windows and usually targets software
used by managed service providers to prevent the attack from being
detected and stopped. Once successfully deployed on a targeted
computer or network, Ragnar Locker at first performs reconnaissance
and pre-deployment tasks, including stealing a victim’s files, before
encrypting files and demanding a ransom.

Those behind Rangar Locker are believed to be independent but in the
past have teamed with the Maze ransomware gang to extort victims.

Remarkably, negotiations between CWT and those behind the attack were
undertaken on a publicly accessible online chat group. The hackers
initially demanded a payment of $10 million to restore CWT’s files and
delete all stolen data, saying that “it’s probably much cheaper than
lawsuits expenses [sic], reputation loss caused by leakage.” A
representative of CWT said it was acting on behalf of the company’s
chief financial officer and wrote that the company had been hit hard
by COVID-19 and would agree to pay $4.5 million instead.

Reuters notes that a payment equivalent to $4.5 million in bitcoin was
subsequently sent to a wallet controlled by the hackers on July 28.

Some companies feel that they have no choice other than to pay a
ransom to restore computer networks or prevent the distribution of
stolen data, but doing so only empowers hackers to try their luck with
more companies. Sneha Kokil, software security consultant at
electronic design automation firm Synopsys Inc., told SiliconANGLE
last year that “security experts suggest not paying ransoms because it
may encourage expanded or copycat attacks” and that “additionally, in
many cases there is no guarantee that the paid ransom will release the
decryption key for you to access the data being held for ransom.”