First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

Exclusive US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.


The attack hit the company a week ago, causing a shutdown of all systems while the infection was contained and dealt with.


It appears that Carlson Wagonlit may have paid a ransom demand in excess of 400 Bitcoins, or $4.5m at current rates – a sum its $1.5bn annual revenues may have been able to absorb without too much trouble. A Twitter user posted the first indication of a breach, as well as the ransom, on Thursday:



Twitter user @JAMESWT_MHT posted about Ragnar Locker hitting CWT. Click to enlarge



Malware analysis sites linked in the tweet showed that a sample of the ransomware was uploaded on Monday 27 July.


Carlson Wagonlit, which recently rebranded itself CWT, provides travel and hotel booking services on what it calls a B2B2E basis – business to business to employee. Companies contract out the tedious parts of arranging corporate travel to CWT rather than doing it themselves. The Register understands that while CWT notified some of its corporate customers earlier this week, it also told them that individual travellers' data was not compromised – and that seems to be where the notification chain stopped.


In a statement, the company told The Register:

A spokesman referred us back to the prepared statement when we asked whether CWT paid the ransom and if so, how much. Regrettably, it seems the firm has joined the ranks of other multinationals paying off criminals, includ ..