Travel company CWT avoids ransomware derailment by paying $4.5m blackmail demand – Naked Security

cwt 1200 1

According to reports, Minnesota-based business travel company CWT is the latest victim of the latest trend in ransomware.

In fact, we’re probably at the point where we need to stop calling them just “ransomware” attacks, because it’s increasingly common that there’s a lot more to these attacks than just keeping you out of your files, which is how we usually think of ransomware.

When ransomware first became big news thanks to malware such as CryptoLocker, back in the early 2010s, the crooks behind the crime deliberately chose to use in-place encryption to tie up your computer.

They didn’t need to do it that way – they could have stolen all your files first and then deleted the copies off your computer, and then sold you back your files.

They could have proved they had the files by inviting you to name a couple and then sending them back for free – given that they wouldn’t know which names you’d pick, this would probably convince you that they had all the others, too.

But that approach would have been slow, and troublesome, especially when the crooks were targeting as many victims as possible and aiming to make $300 a time out of hundreds of thousands of people.

Back then, the average home user or small business on an ADSL connection just didn’t have enough upload bandwidth to make this sort of attack practicable – and getting the files back to victims who paid up would have been unreliable, too, which would have discouraged people from paying up on technical grounds as well as moral ones.

So the crooks encrypted the files in place, and all they needed up upload to themselves (and hide from you) was the decryption key – data that you could fit into a single network packet.

The encryption happened at disk speed, not network speed, so it was harder to spot and finished quickly.

Also, the early ransomware attackers went out of their way to provide the decryption keys to those who paid up as quickly as they could – paradoxically building up a reputation for ransomware gangs as “crooks who could be trusted”.