U.S.-based corporate travel firm CWT paid $4.5 million in a Bitcoin ransom to hackers who stole sensitive files from the company.

According to a July 31 report from Reuters, representatives from CWT (formerly Carlson Wagonlit Travel) paid ransomware hackers 414 Bitcoin (BTC) on July 27 — roughly $4.5 million at the time — over two transactions. Blockchain data shows the criminals transferred the funds to a different address within an hour.

The attackers said they used Ragnar Locker ransomware to disable access to files on 30,000 computers at the firm and steal sensitive data. They initially demanded $10 million, but accepted less than half after a CWT representative claimed the firm had suffered financial losses during the pandemic. 

Ransom negotiations visible to all

In an unusual show of seemingly cordial negotiations considering the nature of the crime, a CWT representative and one for the hackers discussed the price of restoring computer access in a publicly accessible online chat group. 

The group initially stated such a ransom would probably be “much cheaper” than a lawsuit. In the chat, they even offered a “bonus” of recommendations as to how CWT could improve its security measures if they decided to pay.

Online chat between CWT representative and hackers

Online chat between CWT representative and hackers. Source: Jack Stubbs

According to chat records, some of the ransomware group’s advice included updating passwords every month, having at least three system administrators working at all times, and checking user privileges. 

After CWT made the payment, the hackers ended the chat with "it's a pleasure to work with professionals."

Easier just to pay?

Many businesses and organizations targeted by ransomware groups have ended up paying millions of dollars rather than risk sensitive information being released or face the prospect of not having computer access for an extended period. 

The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in crypto to the hackers behind a ransomware attack on June 1. Multinational tech company Garmin also recently received the decryptor to access their files following a massive hack, suggesting the company may have paid all or part of the $10 million initially requested by hackers.

However, not everyone is inclined to give in to the demands of criminals. An unnamed English Football League club refused to pay a $3.6 million ransom requested by hackers who targeted their corporate security systems in July. The club declined to pay, resulting in a huge loss of data.