CWT Travel Management Company Pays $4.5M Bitcoin to Hackers

U.S.-based travel company CWT paid $4.5 million in a Bitcoin ransom to hackers who stole the company’s confidential data.

According to Reuters’ July 31 report, CWT (formerly Carlson Wagonlit Travel) representatives paid 414 Bitcoin (BTC) ransomware hackers on July 27. About $4.5 million at the time — over two transactions. Blockchain data reveals that, within an hour, the criminals moved the funds to another address.

The attackers said they used Ragnar Locker ransomware to disable access to files on the company’s 30,000 computers. And to steal confidential information. We originally requested $10 million but acknowledged less than half after a CWT representative stated that during the pandemic, the company had incurred financial losses.

Ransom negotiations which are visible to all

A CWT representative and one for the hackers negotiated the price of restoring computer access inside a publicly available online chat community in an extraordinary display of relatively cordial negotiations given the nature of the crime.

The group initially claimed that such a ransom would possibly be “lots less expensive” than a lawsuit. In the chat, they also gave a “bonus” of advice about how if they wanted to pay, CWT should strengthen its security measures.

Online chat between CWT representative and hackers. Source: Jack Stubbs

Online chat between CWT representatives and hackers. Source: Jack Stubbs

Some advice from the ransomware community included changing passwords each month, making at least three system administrators operating at all times, and testing user privileges, according to the chat records.

After the payment was made by CWT, the hackers terminated the chat with “it’s a pleasure to work with professionals.”

Easier just to pay?

Most businesses and entities threatened by ransomware groups have ended up paying millions of dollars instead of revealing risk-sensitive information or facing the possibility of enduring a prolonged time of not having computer access.

The University of California at San Francisco School of Medicine. Allegedly paid the hackers a $1.14 million crypto-ransom ransom during a ransomware attack on June 1. Multinational tech firm Garmin has also recently obtained the decryptor to access their files after a huge breach. Indicating that the business might have paid out all or part of the $10 million that hackers originally demanded.

However, not all are willing to give in to criminal demands. An unidentified English Football League team declined to pay a ransom of $3.6 million demanded in July by hackers. Who threatened their corporate security systems. The club refused to pay, which contributed to a massive data loss.

...