US travel giant CWT pays $4.5 million crypto-locker ransom

by Mark Tyson on 4 August 2020, 15:21

Quick Link: HEXUS.net/qaenf3

Add to My Vault: x

It has emerged that US travel giant CWT has paid a $4.5 million ransom to hackers who leveraged a strain of 'Ragnar Locker' to make terabytes of files inaccessible and knock thousands of corporate computers offline.

In case you haven't heard of CWT, it is a sizable US business which manages travel for more than a third of companies on the S&P 500 U.S. stock index and posted $1.5bn in revenue last year.

Reuters reports that the hacker cybercriminals got in touch with a representative of CWT, after their dastardly deed had been done, to negotiate a ransom. Initially a sum of US$10 million was demanded for the safe return of "reams of sensitive corporate files," and the deletion of copies of the data. It isn't clear if the data was mainly CWT's its customers' or both - reporting organisation Thomson Reuters is a customer of CWT. The hackers suggested paying them off would be much cheaper than the law suits that would result if they leaked all this data publically.

After some negotiation the CWT rep, said to be acting on behalf of the CFO of the company, OKed a sum of $4.5 million to be paid to the hackers via Bitcoin. This sum, 414 Bitcoins, was sent to the hacker digital wallet on 28th July.

Reuters European Cybersecurity Correspondent, Jack Stubbs, shared some more fascinating background information about this cyber heist via his Twitter account. Unusually, the ransom negotiations took place in a chat room which was open to the public, and it provides some insight into the proceedings. One example is given above.

After the ransom was paid up, the hackers kindly provided some recommended security advice, including appropriate staffing practice.

Cybersecurity experts recommend thorough protected backups to avoid being prey to such crypto-locker ransom demands. Furthermore, payment of ransoms is discouraged as it will help perpetuate this underhand business.

HEXUS Forums :: 15 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by jnutt - Tue 04 Aug 2020 15:55
I'm sick of these crooks getting away with this chit!
Posted by Friesiansam - Tue 04 Aug 2020 15:57
HEXUS
The hackers suggested paying them off would be much cheaper than the law suits that would result if they leaked all this data publically.

After some negotiation the CWT rep, said to be acting on behalf of the CFO of the company, OKed a sum of $4.5 million to be paid to the hackers via Bitcoin. This sum, 414 Bitcoins, was sent to the hacker digital wallet on 28th July..
So they're sure the nice hackers will do as they say and delete all the stolen data?
Posted by DevDrake - Tue 04 Aug 2020 16:32
Friesiansam
HEXUS
The hackers suggested paying them off would be much cheaper than the law suits that would result if they leaked all this data publically.

After some negotiation the CWT rep, said to be acting on behalf of the CFO of the company, OKed a sum of $4.5 million to be paid to the hackers via Bitcoin. This sum, 414 Bitcoins, was sent to the hacker digital wallet on 28th July..
So they're sure the nice hackers will do as they say and delete all the stolen data?

And why would the hackers do this ?
They got money, they have data that is their safe card when they get caught.

It's an win win for them in this difficult situation.
Posted by QuorTek - Tue 04 Aug 2020 17:19
Well proper companies has backups.. my previous company I worked for got attacked, but the competent IT guys work just waved them off… and then installed the backup.
Posted by philehidiot - Tue 04 Aug 2020 17:40
DevDrake
Friesiansam
HEXUS
The hackers suggested paying them off would be much cheaper than the law suits that would result if they leaked all this data publically.

After some negotiation the CWT rep, said to be acting on behalf of the CFO of the company, OKed a sum of $4.5 million to be paid to the hackers via Bitcoin. This sum, 414 Bitcoins, was sent to the hacker digital wallet on 28th July..
So they're sure the nice hackers will do as they say and delete all the stolen data?

And why would the hackers do this ?
They got money, they have data that is their safe card when they get caught.

It's an win win for them in this difficult situation.

The hackers are not stupid and this is, as above, a business for them. If you screw over this one “customer”, you may make a killing, but no one will ever pay a ransom again. They also will struggle to get other teams to work with them on jobs as they're seen to be ruining the ransom business.

The other thing to consider is that this is a job with a lot of costs. The kit you use is burnable (obviously, and depending on what you're doing there may be a lot of it including cars / vans, a Yagi rifle or two and so on) and the skilled people willing to take the risk are expensive. You may put months (or more) work into this, setting up a botnet or pivots or phishing people. There was an attack on a large company and the attackers were in the network for two years before executing their attack. The odds of getting caught are very high as time progresses and so many of these scams will fail, but people and equipment will still need paying for.

Once you get paid, you have to fence the money. There are plenty of people looking to do this for you, but their cut is not small.

To keep business good, it is a poor idea to sell the company's data to competitors, especially when those competitors may just report you or actually be the next victim.

If it were me, I'd send a “taste” of data off to an up and coming exec of the next target, then I'd send him more with a trojan in it. Then I'd wait for him to take that trojan to work for me. Then I'd do them, too.

SEE NEWER »