A recent hack of a major travel management firm has reportedly left attackers with USD 4.6m worth of bitcoin (BTC), after the company on July 28 was forced to pay to restore access to internal files, Reuters reported, citing a record of the ransom negotiations.
The attack targeted up to 30,0000 computers belonging to the US-based travel management firm CWT with a type of ransomware known as “Ragnar Locker” that encrypts all files on a computer, rendering them useless until a ransom is paid, the report said.
And although the travel firm did shell out BTC 414, currently worth about USD 4.6 million, the original demand from the hackers was reportedly far higher at USD 10 million. “It’s probably much cheaper than lawsuits expenses, reputation loss caused by leakage,” a message sent from the hackers to a CWT representative said, according to Reuters.
The company representative, who said he communicated with the hackers on behalf of the chief financial officer, then managed to negotiate the ransom down to USD 4.5 million, the report further said.
“Okay let’s get this moving forward. What are the next steps,” the company representative asked in a message to the hackers, it added.
But the online chat room where the ransom negotiations took place was left online, giving a rare and *incredibly* i… https://t.co/T428w4mkbs
— Jack Stubbs (@jc_stubbs)
Further, the report said that a note left on the compromised computers made it clear that the attackers had stolen two terabytes of files, which reportedly included security documents, financial reports, and employee data such as salaries and email addresses.
Despite the note, however, CWT said in a statement that it has “no indication that personally identifiable information/customer and traveler information has been compromised,” while also adding that they had temporarily shut down all computer systems “as a precautionary measure” and that the systems are “back online and the incident has now ceased.”
The incident involving CWT is far from the first time cryptocurrency has been demanded by cybercriminals as part of ransomware attacks.
On July 23, the multinational tech company Garmin was targeted in a ransomware attack which managed to encrypt a large number of internal files and take down several services offered by the company best known for its GPS navigation solutions.
According to a report by Bleeping Computer, Garmin has now obtained the decryption key needed to restore its services, which almost certainly means that ransom has been paid, while industry observers speculate that payment was most likely made in crypto.
According to Bleeping Computer’s unnamed sources, the attackers in the Garmin case demanded USD 10 million in ransom for the decryption key. Garmin refused to provide any comment on the incident.
In addition to Garmin, a similar attack also hit Telecom S.A., the largest telecom company in Argentina, last month when hackers demanded USD 7.5m in monero (XMR) to be paid to restore access to internal files. No information has yet been issued on whether the company has paid the ransom or not.