back to article First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back. The attack hit the company a week ago, causing a shutdown of all systems while the infection was contained and dealt with. It appears that Carlson Wagonlit may have …

  1. DavCrav Silver badge

    "The bullying tactics used by these ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate."

    Yeah they are. Just make paying a ransom a criminal offence, punishable by, say, ten years in prison for the CEO. Sorted.

    1. AIBailey

      Just stop acknowledging Bitcoin (and other such "currencies") as legitimate currencies.

      The only reason blackmail attempts such as this are able to succeed is due to the anonymising effect of Bitcoin etc.

      1. Loyal Commenter Silver badge

        Care to point out anyone who actually does claim that cryptocurrencies are actually "legitimate currencies"?

        Even if they were considered as such, I think your suggestion would have about as much effect as trying to stop football violence by declaring that football isn't a sport.

        edit - I'll also point out that Bitcoin transactions are technically less anonymous than cash, since every transaction is recorded for posterity in the blockchain along with the sender and recipient's IDs. If you bother to google it, you'll discover that these have, in the past, been linked to people's identities and used in police operations to trace the movement of cryptocurrency. It's just that until you work out who those wallet IDs correspond to, they are anonymous.

        Cash, on the other hand... Well, there's a reason there’s such a thing as money laundering, and there are many, many forms it can come in. If you found £20 on the street, could you tell where it had come from? And before that? Back to the point in time it was minted? Because you can with bitcoin. It's all there in the blockchain.

        1. Loyal Commenter Silver badge

          Just to add: I'm no Bitcoin evangelist, but they are a thing that exists (and they do kind-of have a purpose, although it's not one that will replace money in any meaningful way).

          That genie is out of the bottle, and they are a tool that criminals can use, because although their value fluctuates wildly, they can be passed on for cash, and they are a lot easier to use for ransom than a suitcase of unmarked non-sequential bills, or bearer bonds, or diamonds, or whatever.

          Getting rid of the means of payment won't get rid of the crime they are used in. if you go down that line of thinking, you might as well end up with the Dark Judges from 2000AD. All crime is committed by the living, the crime is life, the sentence is death.

        2. Bill Gray

          In re tracing cash...

          At my local bank, I noticed someone depositing cash. The bills were inserted in a cash counter, which (I assume) would have no difficulty detecting serial numbers. And, of course, when dispensing cash at an ATM, the bank could know which bills were passed out to whom.

          I dunno to what extent banks and other cash-scanning/dispensing businesses are taking advantage of this ability. It's very limited, in that the bank in question can't be especially confident that it'll see the same bills twice. But it does seem that if there's a way to conduct surveillance, people will do it.

          1. doublelayer Silver badge

            Re: In re tracing cash...

            Sure, that can be done, and it is done to detect known theft of bills with sequential serial numbers because such lists can easily be passed around. However, it doesn't provide you the same kind of information that bitcoin does. Cash can be spent several times before it ends up in a bank, and so even if you know that a criminal obtained such a banknote and it returned to a bank via a deposit from a retail store, you don't know that a criminal was the one spending it at the store. If the criminal doesn't steal it from the bank, but instead steals it from somewhere else which probably doesn't catalog serial numbers, then even when it ends up in a bank, you don't know that it was ever connected to a crime. Meanwhile, we may not know who spends each bitcoin, but we can track an individual one through every transaction short of just giving the wallet key over to someone else.

          2. aregross

            Re: In re tracing cash...

            AFAIK, ATMs do not keep track of bill serial numbers, in or out.

            Edit: In fact I'm sure of it. Each cassette is setup for a specific denomination. There is no OCR device after that. And the Armoured carrier sure doesn't keep track of them!

            1. doublelayer Silver badge

              Re: In re tracing cash...

              True, but there can be logs of which serial numbers were placed into the ATM before they were printed. Especially when using newly manufactured banknotes, the stacks are consecutively numbered. This is useful to catch people working for the bank who see a large stack of cash and think of the potential to pick it up and run. Going in is another question. I don't think they OCR those bills most of the time, but there is a facility to do so elsewhere and it is done on occasion. Having never worked in that area, I don't know how the scanning is done when it is deemed necessary or how routine it is.

            2. Anonymous Coward
              Anonymous Coward

              Re: In re tracing cash...

              > Edit: In fact I'm sure of it. Each cassette is setup for a specific denomination. There is no OCR device after that. And the Armoured carrier sure doesn't keep track of them!

              The armoured courier gets its cash from a bank - not a regular branch that allows customers in - but a cash handling centre. The notes are new and their numbers are all known. The courier has to load them in to the cash machine in the specified order so that bank knows exactly which note(s) went to which cash machine user. If the courier makes a mistake and loads them out of order, the bank still knows which small subset of users potentially got the notes.

              Deposits won't be scanned by the ATM but will be scanned back at the cash handling centre when they are counted.

              All this means that the bank won't necessarily see its own notes back in again but it does mean that the police can - if they seize cash - ask the central bank which retail bank got that note and then ask that bank where and when it was distributed.

              This is why criminals like used notes - they were originally issued to someone innocent so no use for tracing - and no longer in sequential blocks so a pain to request tracing of more than just a few samples - just in case.

              Amusingly (unless you work in that department) armoured couriers quite often fling the canisters into the vans so forcefully that it triggers the anti-theft dye pack which coats the notes in lurid, indelible dye. The notes can't go though the machines but still have to be counted though.

          3. Anonymous Coward
            Anonymous Coward

            Re: In re tracing cash...

            My local Barclays outside ATM’s permit payment in of cheques and cash, pay in a cheque and they print a pic of it on your receipt, pay in cash & it’s counted, any rejected notes spat out and you get to confirm the amount to deposit. I assume they ocr & confirm the inbound cash is legit before accepting it. I no longer need to visit a teller before depositing cash into my account.

            Very handy to cycle old soon to be out of use notes from my home safe. Need to remember to withdraw the cash again before the next pandemic.

            1. AIBailey

              Obligitary...

              https://xkcd.com/2335/

        3. Packet

          While I agree with you that the point of the blockchain is to have every transaction linked to it - there is also that 'washing' thing done for Bitcoin by exchanges.

          I suppose it comes down to how extensive (and how present/available) logs of such activities are.

          If the 'washing' does remove/obfuscate the bread crumbs trail, then it's rather more anonymous?

          PS: just an opinion on the workings. I still contend that any non-sovereign government backed currency is a scam and waiting to be unloaded onto the next sucker

          1. aks Bronze badge

            "I still contend that any non-sovereign government backed currency is a scam and waiting to be unloaded onto the next sucker"

            I'm not sure why you regard sovereign government backed currency as not being a scam.. If it quacks like a duck ...

            1. Packet

              Sir - can you please substantiate your remark?

              Else it's rather unhelpful.

              Allow me provide you with some information: A sovereign government backed currency means that it has government revenue and taxes, economic data (imports, exports, GDP calculations) to provide the said currency with a preferred (or non-preferred) rate of exchange in the world currency markets

      2. Lars Silver badge
        Happy

        Stop using Windows could help a lot too.

        1. Pier Reviewer

          “Stop using Windows...”

          Won’t make you any more secure against this type of attack. It was a targeted attack using a VM (i.e. they can deploy it on anything a VM can run on). They simply phish users, gain network access then deploy the VM.

          Using Win10 actually makes you less likely to be hit by this particular attack if you enable Hyper-V as any fool know.

    2. Loyal Commenter Silver badge
      Facepalm

      A well thought-through bit of victim blaming you've come up with there. What have you got for a follow-up? Rape victims shouldn't dress so slutty?

      1. Anonymous Coward
        Anonymous Coward

        Totally not the same. Any business that doesn't have a robust backup solution doesn't deserve to be in business.

    3. Lon24

      "Yeah they are. Just make paying a ransom a criminal offence, punishable by, say, ten years in prison for the CEO. Sorted."

      Surprised at the downvotes. As a business if I stand to lose £5 million but can pay a ransom of £1 million it's a no-brainer. I'll pay up and the fact that will incentivise attacks on my competitors is not my problem. But if it's a choice between my business and prison then it's another no-brainer ;-)

      The only possible ethical reason to pay a ransom is if human life is at risk. That's a difficult one because that invites more attacks in that direction. Which is why any decision should be considered by a disinterested party who can take the 'public good' into account not the financial balance sheet.

    4. NightFox

      "Just make paying a ransom a criminal offence, punishable by, say, ten years in prison for the CEO. Sorted."

      Not really. As I mentioned in another thread, in countries that have made ransom payments for kidnap illegal, people are less likely to inform the authorities of a kidnap so the authorities can't then obstruct/prosecute them for paying the ransom to save their loved one (it's not unheard of for authorities to freeze the assets of someone who reports a kidnap to prevent any ransom payment). As a result, it's easier for kidnappers to operate knowing that there's little chance of the police getting involved. The same would probably apply with ransomware.

      There's also ways around making an obvious payment to the demanders. You can't be seen to pay a $5m ransom, but you can engage a 'specialist' consultant to either negotiate with the kidnappers or disinfect your IT systems for maybe $1m, that consultant being either a front for the kidnappers/malware pushers, or a legitimate consultant laundering the ransom payment before passing it on to the baddies.

      Have to say though, it seems a poorly-chosen time to target CWL when business travel is at an all time low.

      1. I am the liquor

        A ransomware attack is somewhat different to a kidnapping. The entire company knows that the computer systems were suddenly down. The entire IT department knows why. None of them are paid enough to be accessories to a felony. If the CEO chooses not to report to the data protection authorities, they're taking a big gamble.

    5. bombastic bob Silver badge
      Stop

      Just make paying a ransom a criminal offence

      you know, that makes sense until you see a drop in reported ransomware crimes...

      "unintended consequences".

      1. John Brown (no body) Silver badge

        Re: Just make paying a ransom a criminal offence

        Agreed, except that across the EU, GDPR comes into play. Don't report the breach and the fine could be more than the ransom you already paid.

    6. Persona Silver badge

      Just make paying a ransom a criminal offence, punishable by, say, ten years in prison for the CEO. Sorted.

      OK say you become CEO of a small firm and I work for you. I get caught by a phishing attack and pay a £50 ransom out of petty cash to get the data back. Later on you and I have a falling out about something else so I report the ransom payment to the authorities and you go to jail for 10 years......... Sorted.

      Is it really important to stop people paying these ransoms?

      1. I am the liquor

        The success of one attack motivates the attackers to repeat it against others, causing much greater losses to the wider economy. Losses which are not borne by the original victim - to them it's an externality, which doesn't come into their financial calculation about whether to pay the ransom or rebuild their data.

        The idea of threatening sanctions to force companies to consider such externalities is hardly a new one. It's why companies get fined for polluting water courses or exposing our personal data.

        Fines are the appropriate sanction here, though, not prison: you just need a sufficiently large monetary penalty to alter the financial calculus for the company, à la GDPR.

    7. Graeme5

      I was just thinking paying a ransome is funding organised crime / terrorism. It should be illegal.

      1. Persona Silver badge

        I recall video piracy was branded as financing organized crime. It always made me laugh to think that the drug and prostitution business was such a loss maker that they need to flog a few pirate DVD's in order to keep in business.

        1. CAPS LOCK Silver badge

          Hahahah, yes..."You wouldn't download a car!"...

          ...I would, I've got a 3d printer...

    8. Packet

      Why?

      Wouldn't you rather focus your efforts and criminal proceedings against the actual perpetrators rather than the head of the business who is being forced to make a business decision because of the ineptitude of their IT department?

      Someone in IT fucked up - and allowed this to happen, it's that simple. Direct your rage there.

  2. Mike 137 Silver badge

    <sarc>Nice precise guidance</sarc>

    "... If it's likely that there will be a risk then you must notify the ICO ..."

    What a muddle! Of course there's always a risk - the real question is what the level of risk is. And of course likelihood is one of the two parameters of risk - the other being consequence, so "likelihood of risk" is both specious and tautological.

    Official guidance should be neither, so why does the guidance not say something like "if there is a high likelihood of significant harm to the rights and freedoms of data subjects..."?

    Maybe because the use of the term "risk" in the vernacular has always been utterly sloppy and even risk professionals in general don't seem to use a consistent definition of it. It's about time we did.

  3. BobBobBobBobBob
    Mushroom

    Negotiations still online?

    This is not a good look for them https://twitter.com/jc_stubbs/status/1289199762663604224

  4. IGotOut Silver badge

    I wonder if...

    ..anyone would say "We paid $10 million but they didn't unlock our files"

  5. Mark192 Bronze badge

    Crikey

    It's all very well saying saying "don't pay the ransom" but when they've gone after your backups too and the future of your business is in doubt...

    1. Hubert Cumberdale

      Re: Crikey

      Yes, but they shouldn't be able to go after your backups if you've got them set up properly. I'm a sole trader working from home, and I have multiple, rotated, offline backups. Even if ransomware sat hiding on my system for weeks, I'd still have most of my data at the point when it revealed itself. Best case, I'd lose nothing. Absolute worst case, I'd lose 30 days – and they'd have to have worked very hard to keep hidden from me in that time. I have a spideysense for unusual behaviours or slight, unexpected hesitations on my machines when there should be none, and I go delving to find out what's happening. But I guess that's an advantage of having a small set-up and an enquiring mind.

      1. Hubert Cumberdale

        Re: Crikey

        Thumbs down? Really? I'm not saying I have no sympathy, but I've lost count of the number of times someone has come to me saying that their computer has "died" and could I get their data back please? Are you giving thumbs down to the use of decent backup solutions, or to my apparent lack of sympathy? If someone is hit by a drunk driver and dies simply because they weren't wearing a seat belt, then it's still a tragedy. But they were still being stupid.

        1. P. Lee Silver badge

          Re: Crikey

          I didn’t downvote, but in large businesses it going back in time could be more expensive.

          Take amazon for example. “Just go back to your backup from 28 days ago” won’t cut it.

      2. Graham Cobb

        Re: Crikey

        The really interesting thing is that the recent attacks have gone after LARGE companies. Those companies almost certainly have good backups and maybe even reasonable disaster planning. However, it seems that if you choose a large enough company, they will be willing to pay a substantial sum just to minimise their downtime.

        Restoring all backups, including all the employee desktops, will take a lot of time, and a lot of effort and cause massive business disruption. A few million to reduce that to (say) 24 hours to decrypt and restore operation probably looks like a good deal.

        Of course, as well as the obvious problems of rewarding criminals, how do you know you really have a safe environment afterwards? All data correctly restored? No hidden infections waiting to hit you up for an ongoing "insurance fee" (protection money)?

        1. Anonymous Coward
          Anonymous Coward

          Re: Crikey

          It’s not just the time involved in restoring backups.

          In some cases - including several that I have worked recovery on - the companies may have been running on-prem systems and not have capacity to restore any system to, as the on-prem systems they would restore to may be locked down for forensic investigations required by insurers.

          And getting new gear in the time of Covid may not be easy.

          A/C for obvious reasons.

      3. I am the liquor

        Re: Crikey

        30 days is the worst case if the ransomware has been there for less than 30 days. What if it's been encrypting all the data you've been backing up for months?

      4. Wilco

        Re: Crikey

        >Yes, but they shouldn't be able to go after your backups if you've got them set up properly.

        I don't know how that would work. If malware gets onto a backed up machine, it's probably going to lie doggo for a few weeks while it spreads across the network, and so it will be in multiple backups. It's possible that an alert, technically savvy person such as Hubert could spot something, but the backups are still going to include the malware.

        The malware might encrypt the backups, though that is probably quite tricky because it would require compromising elements of the backup software.There is still quite a diversity of backup solutions available so this sounds quite hard.

        Even if you backups are readable you've still got a big problem. Any largish business is going to have hundreds or thousands of machines and databases to wipe, rebuild and restore. And each of them will need to be forensically checked to ensure that it the backup hasn't restored malware. You might be able to get a few key systems up from backup fairly quickly, but your infrastructure is going to be in bits for weeks while you check every single object on your network with any kind of microprocessor to make sure that no nasties are lurking.

        It's hard problem because no matter how carefully you run your infrastructure, it's nearly impossible to stop a really determined and technically skilled opponent from breaching your defences. The zero days can always get you.

  6. redpawn Silver badge

    You get what you pay for

    If you pay them double, they will leave you alone for two years. If you pay them ten times what they ask, you will be forever free of ransomware. Invest wisely.

    1. Hubert Cumberdale

      Re: You get what you pay for

      You have chosen... poorly.

    2. J27 Bronze badge

      Re: You get what you pay for

      If you pay this one group to leave you alone, you paint a huge target on yourself for all the others.

      1. veti Silver badge

        Re: You get what you pay for

        You mean, for the same group after it changes its name three months later. Or for factions of it after they inevitably fall out.

  7. Anonymous Coward
    Anonymous Coward

    " corporate travel management firm "

    who knew that sort of thing existed

    1. This post has been deleted by its author

    2. Stork Silver badge

      I did. My wife had such an arrangement and a very good agent in the other end, he got her on the last plane when everything closed due to the Icelandic volcano.

      Knowledge such as which airports you can make your connection in is also a thing

      1. Stork Silver badge

        As in: avoid trying in CDG

  8. J27 Bronze badge

    A company that size doesn't have off-site backups? That's just staggeringly incompetent.

    1. Twanky Bronze badge

      Not off-site (though that is a good idea too), but off-line backups. In the reported case the bad guys were able to spin up a VM in CWT's systems which means (should mean) highly privileged access. If CWT had off-line backups then perhaps the same privilege was used to bring them on-line and damage/delete them?

      The above is speculation of course, but if bad guys have had highly privileged access to your systems then you can never be sure they really are your systems any more.

      1. Pete B
        Unhappy

        "In the reported case the bad guys were able to spin up a VM in CWT's systems which means (should mean) highly privileged access."

        Not necessarily - a successful phishing attempt to an employee with local admin rights to his desktop machine would be sufficient. (Or elevation via an unpatched vulnerability if no local admin rights). You're thinking they managed to spin up a VM on the company's hosting infrastructure, but almost any PC would do the job.

    2. P. Lee Silver badge

      Sometimes the criminals are sneaky and go after the backups first.

      1. alain williams Silver badge

        Writable backups

        Any backup should be read only. You can add new stuff to the backup but removal should be very hard.

  9. The Boojum

    Double Negative!`

    Am I the only one struggling with the phrase "less than half of businesses paying ransoms don't recover all of their data"? Or is is simply a bit more attention grabbing than "more than half of businesses ... recover all of their data".

    1. I am the liquor

      Re: Double Negative!`

      It's a mistake, the actual headline at the other end of the link is "Less than half of paying ransomware targets get their files back."

  10. Anonymous Coward
    Anonymous Coward

    We need a public list of first who give in to ransomware

    What we need is a public register of firms known to have given in to ransomware criminals. Then we could take our custom elsewhere. That might in the long run affect their bottom line enough to dissuade them.

  11. Potemkine! Silver badge

    Garmin, CWT and al. are now confirmed valuable targets

    I also read somewhere that Garmin only decrypted, but didn't reinstall its infrastructure. The villains could have plant some nasty malware somewhere in Garmin's IT, waiting for being activated. They should have done it if they are smart villains.

    Short-term view rarely pays in the long term.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020