Travel management company Carlson Wagonlit Travel (CWT) paid approximately $4.5 million ransom to get its data back from an intrusion that happened last Aug. 1, 2020.
The cyber incident caused CWT’s system to shut off to contain the infection. The hackers are demanding 414 Bitcoins in excess of the $4.5 million ransom.
In a statement, the company said, “We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased. We immediately launched an investigation and engaged [with] external forensic experts.”
CWT also said the investigation showed no indication that traveler information and PII/customer has been affected. The company clarified their top priority is ensuring that all customer data are intact and not tampered by the ransomware incident.
The $4.5 million ransom made little trouble as the company reported a $1.5 billion annual revenue. However, the ransomware could impact the brand’s reputation on security and people might think twice before giving personal information.
Ragnar Locker
Hacker group Ragnar Locker was responsible for the ransomware that attacked CWT’s systems and networks. The group accessed and held encrypted sensitive files until a bounty has been paid. In addition to the files, the group also hacked more than 30,000 company computers.
Hackers utilized the RagnarLocker software, which accessed all the sensitive files. According to authorities, this software was used and launched in 2019.
“RagnarLocker is simple ransomware, much like others that exist in the criminal market. Due to its small size, its operator’s aggressive behavior, and the knowledge they seem to have that allows them to enter the networks of enterprise, as well as the threat to leak information if the ransom is not paid,” said McAfee.
The travel management company publicize the incident on Saturday, Aug. 1, providing information on the transaction with Ragnar Locker. The talks played out in a publicly viewable chat room, where the hackers initially asked for $10 million.
A company representative was able to negotiate with the group to end up with the $4.5 million bounties. After negotiating, the representative seeks advice on how to recover the files and what steps are needed to resolve the issue.
No further information was disclosed as the company pursued the investigation. The representative declined to comment, while all the systems are back online.
The hackers advised CWT to update passwords monthly, and have at least three systems administrators in operation at any given time.
