Last week, the server that hosted an online chat between the operators of the Ragnar Locker ransomware and a representative of the global travel services company Carlson Wagonlit Travel (CWT) was left open to the public, resulting in the full text of the negotiations between the criminals and their victim being available to news reporters. The criminals treated the negotiations as if they were a business deal, and demanded a payment of $10 million USD in return for “services provided,” which included a decryption key and software to restore files, consulting advice about how they broke in, what CWT should do to secure their computers in the future, and assurance that all the sensitive customer information that was stolen had been deleted. The criminals also promised not to publicly reveal information about the hack to help CWT avoid reputational damage and possible fines under laws including GDPR. The chat showed that CWT negotiated the payment amount down from $10 million to $4.5 million, and the blockchain, a public ledger of Bitcoin transactions, showed that payment of 414 Bitcoin was transferred to the attacker’s address on July 28th. The criminals claimed to have locked 30,000 computers, but such claims were not verified by CWT, which cited an ongoing investigation and said it had involved law enforcement authorities. “We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased,” the company stated. “While the investigation is at an early stage, we have no indication that personally identifiable information/customer and traveler information has been compromised.” Even before the chat transcript leaked, independent malware researchers found evidence that CWT had been victimized from ransomware samples uploaded to VirusTotal.
Although the revelation of the chat transcript is unfortunate for CWT, it can serve as a useful learning opportunity for companies preparing for dealing with ransomware in the future. Threat actors target companies from large to small, and they research financial information, or steal financial statements from internal documents, to determine how much to demand as an extortion payment. No matter what promises the criminals make, it is almost impossible to keep secret the fact that so many computers have been locked, or that a large ransom payment has been made. The negotiation also shows that if a company decides to pay, it is possible to reduce the ransom amount. The $4.5 million USD paid by CWT will fund ransomware operations and advances in the future, fueling attacks against many more companies for years to come. The best defense against having to negotiate with criminals is to invest in strong defenses and detect intrusions quickly to put a stop to them before attackers have a chance to steal sensitive information and lock computers across the enterprise. It is critically important to monitor systems for signs of attacker activity 24 hours a day and constantly improve detection capabilities to keep up with advances by attackers.