Big travel company CWT pays $4.5 million USD ransom to remove encryption malware from 30k computers

Successful ransomware attacks continue to create serious drawbacks for affected companies. CWT, a US travel management firm, had to pay more than $4 million USD to a hacker group to recover thousands of confidential files that were encrypted with a dangerous ransomware variant a couple of months ago. Apparently, threat actors managed to infect some 30,000 computers belonging to the company, as mentioned by news agency Reuters.

According to reports, cybercriminals employed a variant of ransomware known as Ragnar Locker, capable of encrypting a lot of files in no time, leaving them completely useless until a decryption tool is used.

CWT executives had to start negotiating with threat actors through a dark web site, although for some unknown reason the chats became public, which provided some information about the negotiation process.  

In this regard, CWT confirmed the incident although it refused to provide further details because the investigation is still ongoing. Last year CWT reported profits of around $500 million USD, positioning it as one of the world’s leading traveling firms.

“We disconnect our systems as a precautionary measure; now, we can make sure the incident was contained and we’re working normally,” the CWT alert mentions. The company adds that at the moment there is no evidence that the personal and financial information of its customers and employees has been compromised. Authorities were notified immediately and are in collaboration with the company. A source close to the incident claims that the number of infected devices is much less than the 30,000 computers that hackers claim to have compromised.    

On the negotiation, at first the hackers demanded a $10 million USD ransom, as shown by leaked conversations: “Probably paying the ransom is cheaper than the loss of reputation for leaked information,” one of the attackers’ messages mentions.

La imagen tiene un atributo ALT vacío; su nombre de archivo es CTWransom02.jpg

In response, the negotiating officer sent by CWT mentioned that the company’s chief financial officer would not authorize payment of that amount, as CWT continues to suffer economic losses due to the pandemic. Soon after, both parties agreed to a $4.5 million USD ransom that should be paid through a cryptocurrency transfer.

La imagen tiene un atributo ALT vacío; su nombre de archivo es CTWransom01.jpg

Cybersecurity experts detected the cryptocurrency wallet controlled by these hackers, where they could verify that a payment of 414 Bitcoin was received on July 28. The transfer sent and date match with the incident that affected CWT.

The cybersecurity community agrees that ransomware attacks remain one of the most serious security threats for individual users, private companies, and government organizations, so greater effort is needed to prevent these incidents, raising awareness among less experienced users on computer security issues and creating backups of the most important information we safeguard on our computer equipment.