Security News > 2020 > July > First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo
US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.
The ransomware, a relatively new strain first seen late last year, deploys a Windows XP virtual machine onto the target network in order to unleash the ransomware itself.
"Matt Walmsley, EMEA director of infosec biz Vectra, told The Register:"Ragnar Locker is a novel and insidious ransomware group, as Portuguese energy provider EDP found out earlier this year when they reportedly lost 10TB of private information to the ransomware operator.
Mirroring the 'name and shame' tactic used by Maze Group ransomware, victim's data is exfiltrated prior to encryption and used to leverage ransomware payments.
Bert Steppé, researcher in F-Secure's Tactical Defence Unit, added: "Ragnar Locker is a relatively new ransomware family, used in targeted attacks. The ransom note is personalised for each victim. It was first observed in the beginning of this year, where it was deployed on vulnerable Citrix servers. The ransomware is still under active development, and the attackers are quite innovative to evade detection: in one known case, they have deployed a complete WinXP virtual machine to encrypt files on the host from within the VM.".