COVID-19 Update: How We Are Serving and Protecting Our Clients

U.S. Company Pays Hackers’ Ransom

Hacker-image-300x231

 

The United States-based travel management company, Carlson Wagonlit Travel (CWT), successfully completed a transaction with hackers who stole company data and knocked tens of thousands of company computers offline.  The transaction, which was negotiated and agreed upon through a publicly accessible online chat, stated that if CWT were to pay $4.5 million to the hackers within 24 hours of the messages (occurring on 7/27/2020), then the hackers would delete all of CWT’s data from their servers and supply the company with decryption software to restore all computers affected by the hack.

The perpetrators used a strain of ransomware called “Ragnar Locker” to attack the company’s data.  Ragnar Locker is actually able to take the data hostage, encrypting it and essentially making it useless.  The victims of these attacks are then forced to succumb to the demands of the hackers or lose access to the data permanently.  When it comes to large companies like CWT, the data is often extremely sensitive and frequently personal.  Attacks like these put the companies’ data, along with the data of their clients at risk.  CWT is believed to have had two terabytes of files, which included financial reports, security documents and other sensitive data stolen.

CWT claims to have immediately reported the hack to United States law enforcement and data protection authorities, located in Europe.  Despite the swift action, they were left to decide whether to continue risking the data of employees and clients or roll the dice on trusting the hackers to pull through their side of the bargain, and paying the ransom.  Following payment, which was completed using the cryptocurrency Bitcoin, it was reported that the hackers did indeed stick to their word and supplied decryption software.  It is also currently assumed, although it may never officially be confirmed, that they did delete all CWT data from their servers.

CWT posted revenues of $1.5 billion in 2019, and claims to represent over a third of the companies on the S&P 500 (a U.S. stock index).  A hit to consumer confidence could potentially rock the company, and so, the ransom was paid in hopes that their issues would be alleviated.  When pressed on the incident, CWT confirmed the attack had occurred, but declined to elaborate.  It cited the investigation being ongoing as the reason, and mentioned that although the investigation was still in its early stages, there was no reason to believe that any data had been further compromised.

The hackers initially demanded $10 million to restore computer access and delete all stolen data, and tried to leverage their demands by pointing out how much of a discount CWT would be receiving compared to the costs they would face had the data been leaked and access restricted.  Following the negotiations between a CWT representative and a representative for the hackers, the price of $4.5 million was agreed upon and paid in the form of 414 bitcoin on July 28th, 2020.  Currently, 1 Bitcoin is worth $11,418.80.  Experts estimate that ransomware attacks like this one cost companies billions of dollars each year, whether it comes in the form of payments to the hackers or through the costs of recovery.

Experts suggest maintaining secure back-ups for all essential data, and highly discourage paying any demanded ransoms.  The succumbing of companies to hackers’ demands only incentivizes future hacking, although companies are often left with no other choice.  Hacking is not new to anyone; we’ve all seen or heard about the popular scams running through email phishing attempts.  They typically prey on vulnerable populations like the elderly; however, businesses and their seamlessly endless wealth are frequently becoming targets for skilled hackers.  Whether you’re a Fortune 500 company, or a retiree, you may be the target of virtual criminals.  Always stay vigilant and thoroughly investigate any suspicious online activity.  No matter who you are or what your status is, if you have access to the internet…you could be next!

 

Contact Information