PYMNTS-MonitorEdge-May-2024

Travel Management Firm CWT Pays $4.5M In Bitcoin To Hackers

Travel Management Firm Pays $4.5M To Hackers

Corporate travel manager CWT paid $4.5 million worth of bitcoin in ransom this week to hackers who said they seized control of 30,000 company computers and two terabytes of data, Reuters reported on Friday (July 31).

The news service said it learned details of the negotiations between Minnetonka, Minnesota-based CWT and the unidentified hackers because the talks played out in a publicly viewable chat room.

Reuters said the thieves initially wanted $10 million before settling for $4.5 million, and it isn’t clear whether private customer data was compromised by the attack.

A CWT representative told the news service: “While the investigation is at an early stage, we have no indication that personally identifiable information/customer and traveler information has been compromised.”

Reuters said the hackers used software called RagnarLocker. According to computer security firm McAfee, criminals have been using RagnarLocker since late 2019.

“RagnarLocker is a simple ransomware, much like others that exist in the criminal market. Due to its small size, its operator’s aggressive behavior and the knowledge they seem to have that allows them to enter the networks of enterprises, as well as the threat to leak information if the ransom is not paid, RagnarLocker could potentially become a big threat in the future,” McAfee states on its website. “Time will tell if RagnarLocker becomes a serious threat or disappears against a backdrop of other ransomware with more resources. The code is medium in quality.”

Hacker tools such as RagnarLocker function in part by blocking legitimate users of computers from accessing functioning backups. Security experts say one way to thwart such attacks is to maintain off-site backups that can’t be compromised by an attack on an organization’s main system.

On Thursday (July 30), the FBI alerted organizations around the world that there seemed to be a surge in one type of ransomware attack.

The hit to CWT comes as corporate travel firms have begun to see a rebound in companies’ interest in business travel.

PYMNTS-MonitorEdge-May-2024