CWT (formerly Carlson Wagonlit Travel), the US-based corporate travel firm, has paid $4.5 million in a Bitcoin (BTC) ransom to hackers who stole sensitive files from the company.
On July 31, it has been reported by Reuters that representatives from CWT paid ransomware hackers 414 Bitcoin on July 27, around $4.5 million at the time, over two transactions.
However, blockchain data shows the criminals transferred the funds to a different address within an hour.
The attackers said that they used Ragnar Locker ransomware to disable access to files on 30,000 computers at the firm and steal sensitive data. They initially demanded $10 million but accepted less than half after a CWT representative claimed the firm had suffered financial losses during the pandemic.
Publicly available chat transcripts show representatives from a hacking group and travel firm CWT negotiating over a $10 million ransom https://t.co/RGzNypUXvi — Cointelegraph (@Cointelegraph) August 3, 2020
As per the report, in an unusual show of seemingly cordial negotiations considering the nature of the crime, a CWT representative and one for the hackers discussed the price of restoring computer access in a publicly accessible online chat group.
The group initially stated that such a ransom would probably be “much cheaper” than a lawsuit. In the chat, they even offered a “bonus” of recommendations as to how CWT could improve its security measures if they decided to pay.
Likewise, according to chat records, some of the ransomware group’s advice included updating passwords every month, having at least three system administrators working at all times, and checking user privileges.
After the ransom was paid, the attackers even provided some bonus security advice! pic.twitter.com/aqetEEg5Js — Jack Stubbs (@jc_stubbs) July 31, 2020
Thus, the hackers ended the chat with “it’s a pleasure to work with professionals” after CWT made the payment.
"It's a pleasure to work with professionals." One of the last messages is the hackers offering to wipe the contents of the chat. It was not deleted. pic.twitter.com/cIxsnWug90 — Jack Stubbs (@jc_stubbs) July 31, 2020