Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...

Cyber Attacks for Ransom: Exponentially Growing Problem (Post 1 of 3)

Four years ago, when I started to follow the progression of ransomware attacks, two of the prominent examples of that time were the 2016 hack of Uber, which captured 57 million driver and rider accounts in which Uber paid a $100,000. ransom.

Another example was when HBO was hacked and several scripts for “Game of Thrones” was stolen. HBO offered $250,000., according to press reports.

Well, hackers have taken their ransom demands to a whole new level. Now, hackers are routinely paid hundreds of thousands of dollars and sometimes millions for companies to regain access to their files.

RECENT EXAMPLES

In June, the University of California paid $1.4 million to unlock files at their medical school;

In July, the U.S. travel management company CWT reportedly paid $4.5 million to get their files back;

And it has been reported that Garmin Ltd. paid as much as $10 million to solve their hacking episode in July.

For the next few posts, I will discuss various issues related to ransomware attacks.

ANATOMY OF A HACK AND $4.5 MILLION DOLLAR PAYOUT

As I mentioned above, in July of this year, the travel management company, CWT, was reportedly hacked and paid $4.5 million to get back access to their files.

What makes this episode particularly instructive is that the communications between the hackers and CWT were made public.

In a View from the Wing article, written by Gary Leff and published on August 13th, titled, “Travel Management Firm Pays $4.5 Million Data Ransom, The Negotiation is Online For All To Read,” we get to witness the sobering and disturbing exchange between CWT and the criminals.

I urge you to read the following partial and disturbing transcript of the EXTORTION (including grammar and spelling errors) between CWT (victim-company) and the hackers:

Sunday, July 26, 2020

CWT Hello? What do we need to do to get our data deleted from your servers and unlock our files?

Monday, July 27, 2020

HACKERSYou have 30,000 infected and locked devices from different countries. Our price is consists of the services, decryption software and deleting all downloaded data from our servers. If you need both of them you have to pay $10,000,000. in Bitcoins, before the timer on main page will ends. As a bonus we will provide you with the details about how we break your security perimeter and give you recommendations about improving security measures to help your admins avoid such issues in future.

HACKERSFor sure we understand your worries about this deal, that’s why we will decrypt two random files for Free, just to prove that our decryptor is working properly!

CWT So in your message that you left us, you mentioned a “Very SPECIAL PRICE” if we reached out to you within 2 days, which we did. There’s no way that $10M is a “very SPECIAL PRICE” right?

HACKERSThis price isn’t a Special price, correct! However, it is a standard amount for company of your size and it’s probably much cheaper than lawsuits expenses, reputation loss cause by leakage.

Yes we did offered a special price and you are eligible for it, so if you are ready to process the payment promptly, we can make a step forward to your direction and give you a discount

CWTI appreciate the discount and kind words here, but to be honest, we were hoping for something that we actually have available cash for. I completely understand that this is a business for you, but right now I’m tasked with trying to keep our business afloat. In all honesty, $8M puts us in a spot where we would need to double current revenue to keep our doors open. We were willing to get you $3.7M potentially today if we could have found common ground. I don’t mean to belittle you and your team’s work here. I’m just trying to help prevent further layoffs on our side.

HACKERSWe appreciate your offer, but understand us too, this is the market and you have been offered an adequate price. unfortunately, the amount you offered is not enough to close our deal with you, we gave you 20% not because we are ready to bargain heavily, but because we see your business spirit and immediately gave you a good discount, we can offer 5% discount more and payment by installments. For example fore $4M you will get the Decryptor and after you will pay the rest amount, we will delete all the private Data.

Reportedly, after the ransom was paid, the hackers provided the security advice. (See the above linked article for details.)

Tuesday, July 28, 2020

CWT Thank you for all of this in a very timely manner.

HACKERSYou are welcome it’s a pleasure to work with professionals. If there be any questions, please feel free to ask.

Please confirm that you wrote down all important information from this Chat, we we could clear it. However we will keep the chat room and will be here for your support if necessary

MY REACTION

I found this transcript compelling. It is said to be more useful to “show” than to “tell.” This transcript “showed” me. It made me sick to read. It made me sick to read how CWT was coerced into paying these criminals.

NEXT POST: What do security experts have to say?

Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.

Did you find this post useful?
I agree to have my personal information transfered to MailChimp ( more information )
Join other IP protection professionals, i.e., investigators, attorneys, and brand protection specialists and receive updates straight to your inbox.
We hate spam. Your email address will not be sold or shared with anyone else.

Ron Alvarez is an IP Investigations / Protection writer and licensed private investigator in New York City. He is a former NYPD lieutenant where he investigated robbery, narcotics, internal affairs, and fine art theft cases. Ron is a graduate of the FBI National Academy and earned a B.A. in Government and Public Administration from John Jay College of Criminal Justice in Manhattan. He has published a number of articles on various investigative topics for PI Magazine. Ron is certified by the Interpol-International IP Crime Investigators College (IIPCIC.) as a "Transnational and Organized Crime Intellectual Property (IP) Investigator."

1 comment on “Cyber Attacks for Ransom: Exponentially Growing Problem (Post 1 of 3)

  1. Good Job on this Blog Post concerning Ransom Attacks
    I had no idea as to the scope of this problem
    Thank You for this information
    Tom Manley
    Special Agent FBI- Retired

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...
%d bloggers like this: