Exclusive US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.
The attack hit the company a week ago, causing a shutdown of all systems while the infection was contained and dealt with.
It appears that Carlson Wagonlit may have paid a ransom demand in excess of 400 Bitcoins, or $4.5m at current rates – a sum its $1.5bn annual revenues may have been able to absorb without too much trouble. A Twitter user posted the first indication of a breach, as well as the ransom, on Thursday:
Malware analysis sites linked in the tweet showed that a sample of the ransomware was uploaded on Monday 27 July.
Carlson Wagonlit, which recently rebranded itself CWT, provides travel and hotel booking services on what it calls a B2B2E basis – business to business to employee. Companies contract out the tedious parts of arranging corporate travel to CWT rather than doing it themselves. The Register understands that while CWT notified some of its corporate customers earlier this week, it also told them that individual travellers’ data was not compromised – and that seems to be where the notification chain stopped.
In a statement, the company told The Register:
A spokesman referred us back to the prepared statement when we asked whether CWT paid the ransom and if so, how much. Regrettably, it seems the firm has joined the ranks of other multinationals paying off criminals, including, from the last month alone, navigation and fitness-tracking firm Garmin and cloud CRM purveyor Blackbaud. Warnings that less than half of businesses paying ransoms don’t recover all of their data are simply falling on deaf ears, as is the fact that paying these crooks simply sustains their business model and encourages them to continue their crime sprees.
UK data watchdog the Information Commissioner’s Office said it had not yet received a breach notification from CWT, which has an extensive UK presence, adding that organisations must report breaches within 72 hours of becoming aware of them unless the breach does not appear to “pose a risk to people’s rights and freedoms”.
Its published guidance states:
It is thought that the nasty involved was Ragnar Locker. The ransomware, a relatively new strain first seen late last year, deploys a Windows XP virtual machine onto the target network in order to unleash the ransomware itself. According to Brit threat intelligence firm Sophos, typical attack vectors include poorly configured security controls around remote desktop services or supply chain attacks against managed service providers.
Matt Walmsley, EMEA director of infosec biz Vectra, told The Register: “Ragnar Locker is a novel and insidious ransomware group, as Portuguese energy provider EDP found out earlier this year when they reportedly lost 10TB of private information to the ransomware operator. Mirroring the ‘name and shame’ tactic used by Maze Group ransomware, victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by these ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate.
“Ragnar Locker has also used service providers as a means to distribute their payload. These attackers will attempt to exploit, coerce, and capitalise on organisations’ valuable digital assets, and now service companies, with their extensive number of tantalising downstream corporate customers, appear to have been targeted too.”
Ragnar Locker is also said to hunt down and delete backups, related utilities and connected storage drives. ®