
US travel firm $4.5M ransom negotiation open chat - technion
https://twitter.com/jc_stubbs/status/1289199296328298497
======
hellotomyrars
While these stories are becoming all too common I’d like to think that while
we’re in a golden age of being a ransomware payouts, it will lead to actually
caring about security by many of the high-profile affected companies.

While the overall cost may be low for them, if they don’t make meaningful
changes to prevent these issues in the future, it’s not hard to imagine it
might add up quickly.

I don’t support these attacks and some of the targets in particular are
insidious, like hospitals where an attack could lead to an actual death toll,
but it might actually be the kick in the ass many organizations need to
actually care.

It’s sad that it’s come to this point but the end result may be better for
everyone.

~~~
0x00000000
Nothing will change until they make it a felony to pay a ransom.

~~~
pc86
On what grounds would you make a monetary transfer like this illegal? Why a
felony? What's the punishment? Who gets punished when a public company does
it? You can't charge a company with a felony (usually). What about a private
company? LLC? Sole proprietorship? What about my laptop, can I pay a $1000
ransom for that?

~~~
0x00000000
I guess same as violating economic sanctions since it is similarly funding a
group that is by definition hostile to the US’s economic interests.

------
nlh
For some context about CWT (I was curious about these figures) -- via
Wikipedia[1]:

* US$1.5 billion in revenue * 18k employees

For a firm like this, the payment probably amounts to a small uptick in a
small portion of their IT budget and won't even come close to hurting them
(and, frankly, neither would the $10m figure).

It's insane that this is the case and that companies are willing & able to pay
ransoms like this, but the hackers were right - the payment is much less than
lost business, bad PR, etc. if the actual information had leaked. Such is
where we are.

[1]
[https://en.wikipedia.org/wiki/CWT_(company)](https://en.wikipedia.org/wiki/CWT_\(company\))

~~~
nkrisc
It might over time. If I was deploying ransomware, the first thing I would do
after receiving a ransom payment from a company would be to try them again in
a month or two.

~~~
HenryBemis
And if you don't 'visit' them in a month or two, someone else like you will
visit them. Now they know their security is crippled, there is no way the
patched all holes (system, process, operations) in such a short notice, and we
know they can be blackmailed and pay big money.

The only way to mitigate this risk is actually walk the walk (implement
appropriate security controls).

------
noodlesUK
Whilst paying the ransom is often advisable in specific cases like these, it’s
absolutely a bad thing for society as a whole. Seeing successes like this will
encourage organised crime to keep doing this, as they know there’s gonna be a
big reward. It’s like the prisoners dilemma. If people didn’t pay the ransom,
there wouldn’t be ransomware. But people don’t take precautions, so they have
to pay the ransom, leading to more ransomware... it’s a vicious cycle

~~~
dannyw
To be honest, just how bad of a thing is this? It’s a direct financial
punishment for a company with lax security practices. It encourages greater
security practices.

The money is funnelled to a criminal group, but what difference does it make?
Some people consider the USG to be a criminal group; many people are out on
the streets for that. My tax dollars directly go to corrupt crooks and
nonexistent companies claiming billions for nonexistent PPE.

As a member of society, I don’t care if I’m paying a professional ransomware
group, or a professional corruption gang.

~~~
ryan_j_naughton
> It’s a direct financial punishment for a company with lax security
> practices. It encourages greater security practices.

That argument could be used to justify any theft or even kidnapping.

I know many people who grew up in countries where kidnapping was a very real
concern. Consequently, they had to adopt "greater security practices" and it
had a very real, negative effect on their lives.

There are real harms to randomware. Companies go out of business, people lose
their jobs, people lose their service providers, etc.

To say, "it serves them right for not following proper security" literally can
be said for a mom/pop business in a poor neighborhood who didn't have
bulletproof glass or bars on their windows. It is negating the fact that (a)
the harms are very real and (b) security costs money and resources, which is
effectively another tax on their business.

If instead the government made it illegal to pay such ransoms and actively
audited large BTC transactions and charged people accordingly, then we could
get rid of the incentives to do this in the first place.

The government should similarly hold firms accountable when they are hacked
(due to the harms on consumers) and require prompt disclosure of any hacks.

There are ways to incentivize the preferred outcomes without supporting the
active theft of property and destruction of someone's business.

~~~
MattSayar
In addition, the company isn't the only victim in a ransomware attack, its
customers are too.

And does anyone really believe the hackers deleted the data off their own
servers? They can easily double-dip by selling that information. It's
valuable, so why would they delete it?

~~~
dannyw
Double dipping ruins the reputation of the hackers and future income
potential.

------
yrral
Here's a link to (photos of an lcd screen of) more of the chat, does anyone
know where to get the full transcript? Feels like it has to be available
somewhere.

[https://www.reuters.com/article/us-cyber-cwt-
ransom/payment-...](https://www.reuters.com/article/us-cyber-cwt-
ransom/payment-sent-travel-giant-cwt-pays-4-5-million-ransom-to-cyber-
criminals-idUSKCN24W25W)

------
293984j29384
I found it interesting none of these sites actually provided the alleged
bitcoin wallet address. I found it @
[https://www.blockchain.com/btc/address/13nmJ3SsNB5pSyQrmX3e6...](https://www.blockchain.com/btc/address/13nmJ3SsNB5pSyQrmX3e6zveY9kHGw8Vs3)

~~~
lgregg
clicked through the transactions and found this wallet:
[https://www.blockchain.com/btc/address/17A16QmavnUfCW11DAApi...](https://www.blockchain.com/btc/address/17A16QmavnUfCW11DAApiJxp7ARnxN5pGX)

a balance of 16m and over 1.4 trillon usd has passed through this account.

the oldest transaction i could find was 2019-11-02 14:19:
[https://www.blockchain.com/btc/address/17A16QmavnUfCW11DAApi...](https://www.blockchain.com/btc/address/17A16QmavnUfCW11DAApiJxp7ARnxN5pGX?page=10001)

~~~
zaroth
I would assume one address with 377k transactions that has seen over 131
million BTC move through it strongly implies it's some sort of tumbler
address. I'm not sure why reusing one address like this would make any sense
though...

~~~
Drdrdrq
It is more difficult to trace funds through a single node with gazillion
transactions. This is part of the laundering scheme. Of course, all such
addresses are immediately suspect, but if they pay out to innocent addresses
too... It's difficult to distinguish between signal and noise.

~~~
sonicggg
Isn't that overcomplicating things though? If tracing is a concern, why not
use Monero instead?

------
PragmaticPulp
This story is going to be used by every security consultant selling their
services for a long, long time.

~~~
adamparsons
When I started my career I'd always hear old greybeards talk about "oh this
one time.. some certain thing happened, and everyone learnt a lesson" and I
feel like I just witnessed one of those come into existence

~~~
paulcole
Don’t be surprised if companies would rather roll the dice than pay whatever
it costs to prevent the problem.

$4 million once times the risk of getting hit vs. the up-front and ongoing
costs of dealing with an overly paranoid IT guy.

Tough call.

~~~
enneff
How many times would you need to do a security audit before this paid for
itself?

~~~
skolsuper
A company of this size? Just 10 or 20 times I'm guessing, which really doesn't
seem like a high multiple. This is why laws are required to correct the
incentives here.

------
momokoko
Let this be a lesson to those that say bitcoin and other cryptocurrency has no
real value outside of speculation.

This kind of attack would be almost impossible in the pre-bitcoin era. The
difficulty of receiving that volume of money in that short of a period of time
in a difficult to trace manner is a new thing.

We are entering a new era where crime can pay in very large sums with orders
of magnitude less complexity.

Instead democratizing currency, we're democratizing large scale crime.
Previously only large organized crime organizations could perform such an
attack. Now, almost anyone can.

~~~
yyyk
>Let this be a lesson to those that say bitcoin and other cryptocurrency has
no real value outside of speculation.

>This kind of attack would be almost impossible in the pre-bitcoin era....
Instead democratizing currency, we're democratizing large scale crime.

Just wanted to make this same point - right now, cryptocurrency has _negative_
value for society. Perhaps this is a justification for banning the current
implementations.

~~~
NotSammyHagar
We need to make laws in western countries that paying off these kinds of
ransoms is illegal. It gives money to criminal elements and only encourages
this. I also thought it would be possible for powerful law enforcement groups
to follow the bitcoins even through exchanges. Why does this not run into the
worldwide hunt for the perpetrators?

~~~
vkou
It's theoretically possible for powerful state-level adversaries to follow
bitcoins through tumblers and exchanges (If they operate the former). Also, at
some point, you're going to have to be paying rent, so you'll need to turn
your BTC into dollars or pezos or pieces of eight, and may need to explain to
your friendly tax authorities how you can by 4.5 million USD worth of BTC.

In practice, though, it's not clear what exactly are the capabilities of each
branch of law enforcement.

~~~
jdietrich
In a lot of jurisdictions, your friendly tax authorities won't ask or care;
international fraud is a valuable source of foreign currency for many
countries as long as you're reasonably discreet about it. Banks and payment
processors can't afford to be nearly as blasé, because they're at far greater
risk of facing international sanctions; Bitcoin provides an essential layer of
obfuscation and deniability.

~~~
garmaine
In the US for example, there's an actual field in your 1040 tax return for
entering income from otherwise undeclared illegal businesses. Putting your
drug or extortion money there and paying taxes is not admitting guilt and
can't be used against you IIRC.

~~~
jobigoud
What does one gain by doing this? Is there a particular incentive apart from
one's own principles?

~~~
icelancer
Tax fraud is usually much more painful to suffer from instead of a simple drug
charge or illegal gambling charge. If you get nicked on drug charges there
will be parallel reconstruction to get you on tax fraud despite this "not
happening" between US government branches.

~~~
garmaine
I think you have it backwards. If you commit tax fraud, you will be
prosecuted. And the FBI will work with the IRS to do this.

But, supposedly, putting a non-zero value in the "illegal income" field of the
1040 (which ISN'T fraud) both (1) can't be used as evidence against you in
court, and (2) isn't reported by default to the IRS to the FBI or other law
enforcement agencies, so you don't end up on any watch lists.

Of course you gotta take their word for part (2), but it is their incentive to
get every tax dollar regardless of source.

~~~
icelancer
No sorry, I agree with you. I mean if you _don 't_ declare your income THEN
you get busted on the illegal activity, you are guaranteed to get busted
twice.

~~~
garmaine
Ah I misunderstood, sorry.

------
nradov
It should be a criminal offense punishable by prison time for companies to pay
for ransomware keys. While that might cause some businesses to fail in the
short term, it would benefit society as a whole by eliminating the financial
incentive for such attacks.

~~~
Wowfunhappy
I'm curious, how do you feel about people paying ransom for traditional
kidnappings? Same logic, or is it different?

~~~
nradov
In general paying off kidnappers is also a bad policy. However I see a huge
difference between protecting human lives versus protecting corporate assets.

~~~
quickthrower2
Reading "Never Split The Difference" \- sounds like the police will work with
families pay off kidnappers is some countries, but get it down from millions
to a token amount. I think he aims for zero though most of the time.

~~~
kingsongchen
It seems to be a necessary part of the strategy though as the negotiation also
helps to delay and buy time for escape/rescue.

~~~
quickthrower2
They sometimes paid the amount. In some countries that was probably seen as a
better plan. It probably depends how loose the cannons are.

------
jstanley
Maybe I just don't understand either the ThreadReader or Reuters article, but
I couldn't find a transcript of the chat linked anywhere? Does anyone else
know where it is?

~~~
sbuccini
Click the images in the article (showed up as white boxes for me but clicking
through worked)

------
machinelearning
This is basically an advertisement for a career in black hat hacking.

~~~
projektfu
Or online money laundering.

------
Havoc
Gotta love that they pitch this as a "service" they provide. The person
talking to them must have been seething at having to treat them like
"professionals" too.

~~~
saalweachter
Isn't that almost a cliche of organized crime? It's not enough to be rich,
powerful, feared, people also have to pretend to like and respect you?

~~~
Havoc
Haha possible. Haven’t had much encounters with organized crime thus far
thankfully

~~~
saalweachter
I mean, neither have I, but it definitely shows up in pop culture depictions
of the mafia and drug lords and oligarchs and warlords.

------
TrackerFF
So what's the current optimal solution, as far as precautionary measurements
go - for these kinds of scenarios?

The more companies that shell out, the more it's going to happen / motivate
these pirates to continue with such rackets.

~~~
zanny
Offsite offline backups. Redundant ones. This scenario is really no different
than if your datacenter had a gas leak and blew up, particularly because you
never will ever be able to prove the attacker didn't retain your data
somewhere so all you can do is guarantee recovery. Of note in this case is
that the thieves only stole 2TB of data - this is a trivial expense to
orchestrate a manyfold backup regime for in near real time when the
alternative is shelling out millions.

And its also about your threat model. If data leakage of any form threatens
your business you need way more security than if you just want to be able to
recover from exploits in your publicly facing infrastructure (or the ability
for a rogue actor inside the company from sabotaging the business from the
inside).

At the most extreme having physical separation of infrastructure with physical
token based auth and multiple signature verification to interact with data is
going to be a heavy price in diligence to maintain secrecy. At the lowest end
having a redundant backup storage array with a cron job on all employee
computers to versioned backup files every minute that doesn't have network
signin access.

~~~
TwoBit
As long as the backed up data can't be infected.

------
SergeAx
Garmin, now this, in one week. I beleive it is much easier to pull a trick
like this with the help from the inside. If so, with malicious insider's
incentives in a ballpark of hundreds of thousands we are doomed :(

~~~
dx034
And yet, these hacks tend to be done with some social engineering and no
insider knowledge. Many companies aren't well protected, you don't need an
insider to hack them.

~~~
SergeAx
I think this is just a beginning. Word is out you can extort millions with
internet connection and some scripts, no guns and police chase involved. And
it looks like chances of getting away with the money are quite high. Compare
it with Getty III ransom story.

------
glandium
What's amazing to me is that even though it stings, you get better "customer"
service from these criminals than from e.g. Google.

~~~
robjan
If your account is worth a few million dollars you get a direct line to
someone in Google.

------
qserasera
We are truly in the age of rich data pirates. I dont see them becoming extinct
any time soon with decent ROI like this.

I would be curious to learn the % of origins for most attacks.

[1] Incompetence by dumb employees

[2] Insider attacks

[3] Paid cybersecurity protection racket that take down strong systems with
stolen tech

[4] Unskilled or understaffed security employees

~~~
ars
The US needs to pass a Federal law making it _personally_ (not just
"corporately") illegal to pay ransom. That would stop them because it would
kill the market.

Historically it's how they stop kidnapping in countries where it's common. It
REALLY sucks for the first few people after the law is passed, but after that
things get better.

~~~
yrral
But wouldn't the payments just end up being passed through?

For example, one way to get around that is you could sign a contract with a
foreign consultant firm for "security services", say for 1 year, and they
would take your money, and pay a portion of it to the ransomware authors and
profit on the rest.

~~~
somehnguy
Wouldn't that be extremely obvious though?

~~~
learc83
Not when it's done through several layers of employees and then potentially
multiple layers of foreign companies.

It's very hard to find individuals to hold criminally liable for things like
this. When was the last time you saw a CEO go to jail when their company
killed someone?

------
yrral
Based on other articles, it appears they didn't hire specialty ransomware
consultants for the negotiation but still got a 55% discount. Wonder if they
did, if they would have been able to get a better all-in cost.

------
atlbeer
I’ve always been curious about the “on-ramp” here

How does a legit company purchase $4.5M of BitCoin in 24 hours?

I would assume using a “K&R” style broker but, without one of those how would
you do it?

------
Element_
Anyone know what exchange would allow them to purchase 4.5m of bitcoin on
short notice? I wonder if anyone can find the ransom payment transaction in
the block chain.

------
dudus
Who's to say this isn't an internal job? Random developer that is unsatisfied
with his job sees blatant security hole and exploits it himself for ransom.

Let the money sit in a Bitcoin wallet for a while. Maybe move it around a bit
here and there and cash out a few years down the road. Good retirement egg.

------
imglorp
Another windows local admin/group/domain thing. When are IT departments going
to take it off their networks? Why have LANs at all, for most back office
work?

Immutable, versioned files in managed cloud storage eliminates the locker
threat (not the disclosure one though).

~~~
throwaway28848
When work for a big IT team at a company that's already invested a fortune in
on-prem storage and your job depends on pre-cloud procedures, you keep your
mouth closed and do what's asked of you. After all, if the company gets
hacked, it's usually just the CISO that gets fired. Not you.

You made a very good point about Windows GPOs. The delivery mechanism for them
vs. how macOS does it shows how dated of a paradigm they are. It's bringing
back memories to me of importing ADMX templates, gpupdate.....

~~~
projektfu
Scenario 1: Keep head down, company gets attacked, shrug shoulders.

Scenario 2: Sell solid security and backup principles to management, fighting
annoying budget and corporate culture battles along the way. Company does not
get attacked. Nobody notices.

Scenario 3: Quietly set up an immutable backup service with hourly backups for
your enterprise without anyone really noticing. Company gets attacked.
"Actually, we do have backups. We can just reformat all those Windows
machines." Hero!

~~~
canada_dry
> backup service with hourly backups for your enterprise without anyone really
> noticing

Well, except this is similar to #2 as it will likely stand out in the budget -
especially the initial setup. IT being a cost centre has to fight for every
penny in most non-IT-centric organizations.

Plus, the hackers will still threaten to release your corporate data (i.e.
emails, client info) which would compel most companies to pay-up.

Bottom line: every company needs good backups, intrusion detection, and system
hardening (with 3rd party review).

------
fblp
Wow. $4mil just like that.

~~~
k2enemy
But now you have $4 million in a bitcoin address linked to criminal activity.
Then what? How much do you lose along the way to having laundered cash in
hand?

~~~
ivalm
Aren’t there mixer services for that or just convert to monero? This is off an
exchange so lots of shenanigans to make things less traceable. I am guessing
these people know what they are doing.

~~~
runawaybottle
I’d imagine the feds are involved at this point. They paid to get their data,
but the feds have to be tracking the addresses from this juncture and
examining the breach.

 _I hope._

~~~
ivalm
I hope the hackers are caught too. But from bitcoin perspective, I am not sure
how traceable things are if the hackers use mixing services or convert to
actually anonymous currency such as monero. The main problem is converting
untraceable bitcoin back to fiat, since most exchanges now follow KYC and will
track bitcoin both before and after it touches the exchange.

~~~
peteretep
> The main problem is converting untraceable bitcoin back to fiat

Got to imagine there’s a well-established laundering system for just that

------
KingOfCoders
When I was running some IT for our startup we used FreeNAS with ZFS (and had
off site, borg backups), from my understanding we could just get to the last
snapshot for the (unencrypted) data? (sorry, no IT admin but developer ;-)

------
asdfasgasdgasdg
I wonder if this is a good argument to use cloud service providers. I'm sure
if someone got into your network they could probably delete everything from
your corporate Google Drive/Microsoft Office accounts, but these big companies
are more likely to be able to restore from backup than you are. Similarly,
good managed cloud databases will have backup and restore options that are
much easier than setting up immutable backup infrastructure for your company,
which might encourage companies to back up more often.

------
Geezus_42
How about good offline back ups? Then you don't have to pay and hope you get
your data back. Of course you still need to to figure out how they got in and
lock it down so it doesn't happen again and there will be downtime as things
are restored. However your are already down at that point so that doesn't
really make a difference and by paying you are encouraging the behavior.

~~~
DownGoat
They don't just start encrypting stuff as soon as they have a foothold. They
spend some time on your network siphoning out valuable data, compromise
backups, and staging for re-entry.

------
stirlo
This is a very recent event (ransom was only paid on 07/28).

They're not out of the woods yet. Whats the bet they get crypto locked again
next week?

~~~
xuki
From what I read, the hackers always keep their words. Otherwise nobody will
pay them next time.

~~~
gorbachev
This particular hacker. What's preventing another hacker group doing the same?
The company is not able to fix all of the security issues immediately.

------
ponker
As much as I hate seeing douchebag criminals get rich, I do like that they
establish a financial Cost of poor security.

------
drkrab
Looks like Garmin also payed
[https://www.bleepingcomputer.com/news/security/confirmed-
gar...](https://www.bleepingcomputer.com/news/security/confirmed-garmin-
received-decryptor-for-wastedlocker-ransomware/)

------
noisy_boy
I'm waiting for the "Ransomware Negotiator with min. 15+ years experience"
jobs to show up.

------
marmshallow
A lot of people here are asking the government to make payment of ransoms
illegal. Makes sense to me, but can someone explain the potential downsides,
and why it may not be as simple as it sounds (I'm sure it's not)?

------
walterbell
What is the total size of the backup software industry, compared to the total
size of the security industry? Is backup software undervalued, if "offline
backup" is the only known defense against ransomware?

------
jb775
I constantly hear talk about Bitcoin not being completely anonymous, but it
seems like these ransomware attacks are always requesting Bitcoin. How are
they managing the Bitcoin so it's untraceable?

------
kumarski
Malta is Binance's location.

Malta enables Binance to enable users to "clean" approximately ~2 bitcoins/day
per an account.

Binance has ~5 times the daily trading volume of the 2nd leading exchange.

------
danbmil99
Why not pay the ransom, then track down the perpetrators for an uncomfortable
private chat with hired paramilitary types?

There has to be a stick or these folk will keep demanding more carrots.

~~~
scandox
What spend another few million on an illegal adventure well outside their area
of expertise? Great idea. Why not reintroduce blood feuds to the Toy
manufacturing business too!

------
unixhero
How about stop using Windows servers in enterprise environments???

------
reminddit
how did they get bitcoins that fast?

------
unionpivo
They are probably now on a priority target list for other groups, since they
do pay out.

So they have to get their security in order, or this is just the beginning of
their problems.

------
wombatpm
So could a state actor force enough miners to act in concert and conduct a 51%
attack and steal the bitcoin back?

------
anonymousDan
What exactly do the EDR tools recommended by the attacker give you?

------
mudiadamz
Bitcoin turn to be ugly currency, the price will slump very soon.

------
teruakohatu
What are the chances this is a $4.5m transfer to North Korea?

~~~
9nGQluzmnq3M
Low. The hackers are likely European, since there are telltales like European
number formatting ("10.000.000$") and awkward phrases like "make a step
forward" (perhaps Italian _fare un passo avanti_?).

~~~
rmujica
it seemed weird to me that the hacker's messages were right-justified, maybe
from a country with RTL input method?

~~~
9nGQluzmnq3M
It's screencaps from one of those annoying in-browser support chat systems,
where doing text-align: left for one side and text-align: right for the other
is pretty common.

