CWT, a U.S. travel management firm that posted revenues of $1.5 billion last year and claims to represent over a third of companies in the S&P 500, paid $4.5 million in bitcoin to hackers who extorted them after infecting them with ransomware.
According to Reuters, the attackers used a ransomware strain called Ragnar Locker, which encrypts computer files and renders them usable. The $4.5 million in bitcoin ransom was paid for a decryption key in a bid to restore the files.
The hackers told CWT they had infected 30,000 computers within its systems, and that using publicly available decryption tools or shutting down their machines could damage the files and render decryption impossible. They claimed to have stolen two terabytes of files, including financial reports, security documents, employees’ personal data, and more.
To Reuters, CWT confirmed that it temporarily shut down its systems as a “precautionary measure,” but that its systems are back online and the “incident has now ceased.” The firm added that “while the investigation is at an early stage, we have no indication that personally identifiable information/customer and traveller information has been compromised.
The travel giant has reportedly already informed U.S. law enforcement and European data protection authorities of the incident. In it, the hackers initially demanded $10 million to restore CWT’s files and delete all the stolen data, arguing it would be cheaper to pay than to deal with lawsuits and the damage the leak would do to their reputation.
A CWT representative in the negotiations, said to be there on behalf of the company’s chief financial officer, claimed the COVID-19 pandemic hit the firm hard, and negotiations ensued.
In the end, both parties agreed CWT would pay the hackers $4.5 million in bitcoin. Blockchain data shows the payment occurred and that the hackers already moved the funds out of the wallet.
Cybersecurity experts, Reuters points out, advised against paying these ransoms as they encourage further attacks without any guarantee the files will be decrypted or deleted from the hackers’ systems.
Featured image via Pixabay