First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

$4.5m may have gone into crims' pockets after bookings biz hit by Ragnar Locker nasty


Exclusive US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.

The attack hit the company a week ago, causing a shutdown of all systems while the infection was contained and dealt with.

It appears that Carlson Wagonlit may have paid a ransom demand in excess of 400 Bitcoins, or $4.5m at current rates – a sum its $1.5bn annual revenues may have been able to absorb without too much trouble. A Twitter user posted the first indication of a breach, as well as the ransom, on Thursday:

Twitter user @JAMESWT_MHT posted about Ragnar Locker hitting CWT on Thursday

Twitter user @JAMESWT_MHT posted about Ragnar Locker hitting CWT. Click to enlarge

Malware analysis sites linked in the tweet showed that a sample of the ransomware was uploaded on Monday 27 July.

Carlson Wagonlit, which recently rebranded itself CWT, provides travel and hotel booking services on what it calls a B2B2E basis – business to business to employee. Companies contract out the tedious parts of arranging corporate travel to CWT rather than doing it themselves. The Register understands that while CWT notified some of its corporate customers earlier this week, it also told them that individual travellers' data was not compromised – and that seems to be where the notification chain stopped.

In a statement, the company told The Register:

CWT experienced a cyber-incident at the weekend. We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased. We immediately launched an investigation and engaged external forensic experts. While the investigation is at an early stage, we have no indication that PII/customer and traveller information has been affected. The security and integrity of our customers' information is our top priority.

A spokesman referred us back to the prepared statement when we asked whether CWT paid the ransom and if so, how much. Regrettably, it seems the firm has joined the ranks of other multinationals paying off criminals, including, from the last month alone, navigation and fitness-tracking firm Garmin and cloud CRM purveyor Blackbaud. Warnings that less than half of businesses paying ransoms don't recover all of their data are simply falling on deaf ears, as is the fact that paying these crooks simply sustains their business model and encourages them to continue their crime sprees.

UK data watchdog the Information Commissioner's Office said it had not yet received a breach notification from CWT, which has an extensive UK presence, adding that organisations must report breaches within 72 hours of becoming aware of them unless the breach does not appear to "pose a risk to people's rights and freedoms".

Its published guidance states:

When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people's rights and freedoms. If it's likely that there will be a risk then you must notify the ICO; if it's unlikely then you don't have to report it. However, if you decide you don't need to report the breach, you need to be able to justify this decision, so you should document it.

It is thought that the nasty involved was Ragnar Locker. The ransomware, a relatively new strain first seen late last year, deploys a Windows XP virtual machine onto the target network in order to unleash the ransomware itself. According to Brit threat intelligence firm Sophos, typical attack vectors include poorly configured security controls around remote desktop services or supply chain attacks against managed service providers.

Matt Walmsley, EMEA director of infosec biz Vectra, told The Register: "Ragnar Locker is a novel and insidious ransomware group, as Portuguese energy provider EDP found out earlier this year when they reportedly lost 10TB of private information to the ransomware operator. Mirroring the 'name and shame' tactic used by Maze Group ransomware, victim's data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by these ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate.

"Ragnar Locker has also used service providers as a means to distribute their payload. These attackers will attempt to exploit, coerce, and capitalise on organisations' valuable digital assets, and now service companies, with their extensive number of tantalising downstream corporate customers, appear to have been targeted too."

Bert Steppé, researcher in F-Secure's Tactical Defence Unit, added: "Ragnar Locker is a relatively new ransomware family, used in targeted attacks. The ransom note is personalised for each victim. It was first observed in the beginning of this year, where it was deployed on vulnerable Citrix servers. The ransomware is still under active development, and the attackers are quite innovative to evade detection: in one known case, they have deployed a complete WinXP virtual machine to encrypt files on the host from within the VM."

Ragnar Locker is also said to hunt down and delete backups, related utilities and connected storage drives. ®

Updated to add

The Information Commissioner's Office got in touch to let us know: "Carlson Wagonlit UK Ltd have reported an incident to us. We will be assessing the information provided."


Biting the hand that feeds IT © 1998–2020