Travel Management Company CWT Pays $4.5M to Have Its Files Unlocked

CWT Pays the Ransom

There are countless studies that use a wide spectrum of different methods to calculate the costs of a ransomware attack for the victim. These research papers take a host of factors into consideration, but the picture can never really be as clear as it is when you see the attack unfolds first-hand. Last week, Reuters' Jack Stubbs got as close to this as possible. He got his hands on screenshots that show the communication between ransomware operators and employees of a travel management company called CWT, and he can now tell us that, in purely monetary terms, at least, this attack cost $4.5 million.

Ragnar Locker hits CWT badly

Surprisingly or not, CWT is not particularly keen to talk about the incident. In a statement to Reuters, the company said that everything was back to normal after a temporary shutdown of all its systems. The investigation was in its early stages when the company spoke to Reuters last week, but apparently, back then, there was no evidence of any customer information getting exposed. Jack Stubbs' report, however, suggests that the incident was much more serious.

According to it, the travel management company was hit by the Ragnar Locker ransomware. As always, after encrypting tons of valuable information, the ransomware left a note, which included a way of contacting the cybercriminals responsible for the attack. The communication was done via an instant messaging platform, and the screenshots show that at first, CWT representatives weren't completely sure what had happened. The crooks told them that they had encrypted the files on over 30 thousand devices connected to the CWT network and had also stolen copies of financial statements, employees' personal data, and other sensitive documents.

In other words, CWT not only needed to get its files unlocked in order to resume normal operation, but it also had to worry about tons of sensitive data getting leaked by the ransomware operators.

The crooks show some understanding

To get its data back and prevent a leak, CWT needed to pay $10 million in bitcoins. The crooks rightfully pointed out that although they're asking for a serious amount of money, the ransom will probably be considerably less than the costs associated with the reputational damage and the lawsuits that could follow the exposure of information.

CWT hasn't officially announced whether or not it keeps backups of its data, but the screenshots Reuters posted show that the company was willing to cooperate pretty much from the start. The CWT representative did point out, however, that $10 million is a big ask, especially in the midst of a pandemic that is causing unprecedented damage to the travel industry.

Remarkably, the ransomware operators showed some understanding and agreed to negotiate a more acceptable price. Eventually, they settled for $4.5 million.

The consequences of doing business with the crooks

CWT has yet to publish an official statement regarding the attack, but Reuters' report suggests that the payment was processed, and the company got its decryption key. It's obvious that negotiating with criminals and paying the ransom should always be the last resort, and we're pretty sure that CWT had exhausted all other options before agreeing to transfer the bitcoins. Even so, the fact that the company got hit this badly shows that it wasn't very well prepared for a ransomware attack, and this is bound to have an effect on its reputation. There's another potential problem as well.

During the negotiations, the crooks promised that once they receive the ransom, they will send a decryption tool and will also delete the information they've stolen from CWT. Unfortunately, an anonymous chat conversation is not a legally-binding document, especially when the person on the other end of the keyboard engages in cybercriminal activities for a living. The crooks did send the decryption tool, but nobody can say for sure whether they kept their promise and deleted the stolen information. CWT has no other choice but to take their word for it, which, you could argue, is not always the best strategy.

August 4, 2020

Leave a Reply