Business travel management company CWT Global B.V. is the latest company to pay a ransom demand following a ransomware attack.

According to report Friday by Reuters, the company paid $4.5 million to those behind the ransomware after the attack knocked some 30,000 of the company’s computers offline.

The hackers are also alleged to have stolen reams of sensitive corporate files, although the company denies it. CWT is one of the largest travel companies in the U.S. and ranks fifth on a list of the top-earning travel companies in the world. Its clients include a third of the companies on the S&P 500 U.S. stock index.

The ransomware attack is said to have involved Ragnar Locker, a form of ransomware attacks Microsoft Windows and usually targets software used by managed service providers to prevent the attack from being detected and stopped. Once successfully deployed on a targeted computer or network, Ragnar Locker at first performs reconnaissance and pre-deployment tasks, including stealing a victim’s files, before encrypting files and demanding a ransom.

Those behind Rangar Locker are believed to be independent but in the past have teamed with the Maze ransomware gang to extort victims.

Remarkably, negotiations between CWT and those behind the attack were undertaken on a publicly accessible online chat group. The hackers initially demanded a payment of $10 million to restore CWT’s files and delete all stolen data, saying that “it’s probably much cheaper than lawsuits expenses [sic], reputation loss caused by leakage.” A representative of CWT said it was acting on behalf of the company’s chief financial officer and wrote that the company had been hit hard by COVID-19 and would agree to pay $4.5 million instead.

Reuters notes that a payment equivalent to $4.5 million in bitcoin was subsequently sent to a wallet controlled by the hackers on July 28.

VT First Submission 2020-07-27 07:53:43 #Ragnar #Locker hit #CWT #company

Sample

✅https://t.co/GUcibuPUrK
✅https://t.co/dnVLpcdqet
✅https://t.co/goMkl7AhZo@malwrhunterteam @demonslay335@James_inthe_box @VK_Intel@Arkbird_SOLG @VirITeXplorer@sugimu_sec @58_158_177_102 pic.twitter.com/JncyxsTRQ2

— JAMESWT (@JAMESWT_MHT) July 30, 2020

Some companies feel that they have no choice other than to pay a ransom to restore computer networks or prevent the distribution of stolen data, but doing so only empowers hackers to try their luck with more companies. Sneha Kokil, software security consultant at electronic design automation firm Synopsys Inc., told SiliconANGLE last year that “security experts suggest not paying ransoms because it may encourage expanded or copycat attacks” and that “additionally, in many cases there is no guarantee that the paid ransom will release the decryption key for you to access the data being held for ransom.”

Image: CWT