Last week, the server that hosted an online chat between the operators of the Ragnar Locker ransomware and a representative of the global travel services company Carlson Wagonlit Travel (CWT) was left open to the public, resulting in the full text of the negotiations between the criminals and their victim being available to news reporters. The criminals treated the negotiations as if they were a business deal, and demanded a payment of $10 million USD in return for “services provided,” which included a decryption key and software to restore files, consulting advice about how they broke in, what CWT should do to secure their computers in the future, and assurance that all the sensitive customer information that was stolen had been deleted. The criminals also promised not to publicly reveal information about the hack to help CWT avoid reputational damage and possible fines under laws including GDPR. The chat showed that CWT negotiated the payment amount down from $10 million to $4.5 million, and the blockchain, a public ledger of Bitcoin transactions, showed that payment of 414 Bitcoin was transferred to the attacker’s address on July 28th. The criminals claimed to have locked 30,000 computers, but such claims were not verified by CWT, which cited an ongoing investigation and said it had involved law enforcement authorities. “We can confirm that after temporarily shutting down our systems as a precautionary measure, our systems are back online and the incident has now ceased,” the company stated. “While the investigation is at an early stage, we have no indication that personally identifiable information/customer and traveler information has been compromised.” Even before the chat transcript leaked, independent malware researchers found evidence that CWT had been victimized from ransomware samples uploaded to VirusTotal.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in