US Carlson Wagonlit Travel pays a $4.5m ransom to get its data back

August 4, 2020

US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion, and it is believed the company paid a $4.5m ransom to get its data back.

According to The Register, the ransomware attack hit the company more than a week ago, causing a shutdown of all systems while the infection was contained and dealt with. In addition, the report notes it appears that Carlson Wagonlit may have paid a ransom demand in excess of 400 Bitcoins, or $4.5m at current rates – a sum its $1.5bn annual revenues may have been able to absorb without too much trouble.

In a statement, the company told The Register: "CWT experienced a cyber-incident at the weekend. We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased. We immediately launched an investigation and engaged external forensic experts. While the investigation is at an early stage, we have no indication that PII/customer and traveller information has been affected. The security and integrity of our customers' information is our top priority."

Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, explains that "Ragnar Locker is a novel and insidious ransomware group, as Portuguese energy provider EDP found out earlier this year when they reportedly lost 10TB of private information to the ransomware operator. Mirroring the “name and shame” tactic used by Maze Group ransomware, victim’s data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by these ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate. Ragnar Locker has also used service providers as a means to distribute their payload. These attackers will attempt to exploit, coerce, and capitalize on organizations’ valuable digital assets, and now service companies with their extensive number of tantalizing downstream corporate customers, appear to have been targeted too."

Walmsley adds, "Ransomware attackers tend to seek privileged entities associated to accounts, hosts and services due to the unrestricted access they can provide and to ease replication and propagation. Attackers will maneuver themselves through a network and make that step from a regular user account, to a privileged account which can allow them to deploy their tools and access all the data they need in order to finalize their ransomware attack and bribe their victims. Therefore, security teams need to be agile as time is their most precious resource in dealing with ransomware attacks. Early detection and response is key to gaining back control and stopping the attackers in their tracks before they can propagate across the organization, stealing and denying access to data."

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.