At the end of July travel management first CWT (formerly Carlson Wagonlit Travel), which is one of the largest firms handling business travel, meetings, and conferences, representing more than one-third of companies on the S&P 500, paid $4.5 million after a ransomware attack.
In a ransom note left on infected CWT computers and screenshots posted online, the hackers claimed to have stolen two terabytes of files, including financial reports, security documents and employees’ personal data such as email addresses and salary information.
Hackers had encrypted corporate files and taken 30,000 computers offline with ‘Ragnar Locker’ malware. That happens with some regularity. Foreign currency dealer Travelex blames ransomware for its bankruptcy though certainly Covid-19 has as much to do with it.
What’s unique about the Carlson attack is that the negotiations between the company and the hackers were left online for anyone to read.
- Hackers demanded $10 million to unlock the CWT files and delete their copy of the data
- CWT, though, pleaded poverty as a result of Covid-19 and haggled down to $4.5 million in bitcoin.
But the online chat room where the ransom negotiations took place was left online, giving a rare and *incredibly* interesting insight into how these things actually go down pic.twitter.com/WmkI19Dxt8
— Jack Stubbs (@jc_stubbs) July 31, 2020
The hackers initially demanded a $10 mln ransom. What ensued was lots of haggling and discussion of discounts pic.twitter.com/IOzoSV1uyH
— Jack Stubbs (@jc_stubbs) July 31, 2020
Personally I was surprised at how professional and collegial the whole conversation was. From beginning to end, this was treated a business transaction for both parties pic.twitter.com/UyzetQeVab
— Jack Stubbs (@jc_stubbs) July 31, 2020
After the ransom was paid, the attackers even provided some bonus security advice! pic.twitter.com/aqetEEg5Js
— Jack Stubbs (@jc_stubbs) July 31, 2020
"It's a pleasure to work with professionals."
One of the last messages is the hackers offering to wipe the contents of the chat. It was not deleted. pic.twitter.com/cIxsnWug90
— Jack Stubbs (@jc_stubbs) July 31, 2020
I have to wonder whether the hackers left money on the table, if CWT was willing to spend $4.5 million why wouldn’t the billion dollar revenue firm spend more even in a challenging economic environment? Although hackers probably shouldn’t be targeting travel companies now. Willie Sutton said he robbed banks because that’s where the money is. And despite leveraging up, accessing large amounts of cash to make it through the current crisis, it’s not clear that travel is where the money’s at right now.
(HT: Marginal Revolution)
It is a safe bet that while CWT was doing the negotiating they were doing it with the money of their cybersecurity insurer. My guess is that if you knew their policy limits the number that was arrived at would make a decent amount of sense. Just guessing, though. No inside info.
If you run your business on a legacy windows server you kind of deserve to pay this. Windows is like wearing a kick me sign on the internet.
@Andy – you’re not wrong, but just remember: hubris is really the enemy of security. If you think you’re safe because you run Linux, you’ll be having this conversation in a ‘support session’ as well.
@Gary – The number one obstacle to getting a payout in a ransomware situation is the victim’s perception of the ransomer. If the victim believes that the ransomer will act in bad faith (not return the system to its owner, not delete their copies, or the pricing is too high), then future victims will be less likely to deal. If, the ransomer is “professional”, the final price is “reasonable” (even better if the victim feels like they “saved” money in the deal!), and the transaction itself ends up as negotiated, then future victims will be more willing to negotiate and pay vs. taking a hardline stance of never negotiating and never paying. By leaving money on the table for this single transaction and publicly displaying their professionalism, they will more than make it up through future victims’ willingness to deal.
While there are exception, most security problems are due to companies ignoring it and hiring people on the cheap who don’t know what they are doing. Then you have companies that may hire professionals but they ignore the advice because they don’t want to change their systems, don’t want to take the time/effort to upgrade, or just think they are unlikely to be a victim.
Sadly there are a ton of systems out there that are easy prey.
You had Baltimore where they literally backed up data to the local hard drive. Obviously a city with limited funds but they certainly didn’t spend the funds wisely.
And it is one thing if you get targeted by a determined, well organized group that has a ton of resources to get into your system and another when it takes limited effort and skill.
I cannot believe these cyber thieves cannot be found!! Some bank got the $$$4.5 million??????
Banks do not handle Bitcoin. Get rid of Bitcoin and other virtual currencies and this can’t happen.
I had one client whose system go locked by these Russians. They wanted $300 to unlock the computer. They did not know it was worth more then that. Based on us telling them to replace their computer people their new ones had them upgrade their main computer and install nightly off site backups. They then told the hackers NO and restored the backup from the night before
3M issued a statement that there are no studies indicating the exhaust valve provides more or less protection to others than various not respirator masks, and that particle physics suggests large droplets would attach to the exhaust valve of it’s products. The company further points out that a properly sealed n95 or n100 will protect against leakage in both inhalation and exhast…and that the standard surgical masks you see people wearing do not provide this protection against leakage.
Apart from 3m ‘s statement, I’d suggest people wear one of their masks with the cool -flow exhaust. While wearing it,, even blowing into the mask directs the flow of exhaust downward, not outward.
Putting a surgical mask on top of my N100 with exhaust is what I will do if I need to fly….not just use a surgical mask.
https://multimedia.3m.com/mws/media/1791526O/respiratory-protection-faq-general-public-tb.pdf
If it is important, it should be backed up. If the backups are not tested they are not backups.
If it is sensitive, it should be encrypted