The travel sector should pledge to never pay ransoms to hackers. But it either can't or won't. So the ransom payments will go on, helping to fund the criminal development of evermore spectacular attacks.
A spate of ransomware attacks on travel companies worries some security professionals, who believe the criminals are upping their games. Some criminal groups may be plowing part of the payouts they get from shakedowns into launching more sophisticated attacks.
Carnival discovered on August 15 it had become the latest travel industry victim of ransomware, software that holds a victims’ devices and data hostage while the perpetrators demand money.
Carnival, one of the world’s largest cruise operators, warned investors this week that criminals may have accessed the personal details of its customers and staff. The company said hackers accessed data in a part of an IT system for one unnamed brand. Carnival’s brands include Cunard, Princess, and P&O.
CWT, the travel management giant, reportedly paid $4.5 million in ransom last month to hackers who had taken sensitive corporate files hostage and took about 30,000 computers offline.
Garmin, the maker of navigational systems, suffered a service outage for many days after a ransomware attack in July. Garmin paid a “multi-million dollar” sum, Sky News reported, though the company hasn’t commented.
Hackers targeted Travelex, the currency-exchange business, with a ransomware attack on December 31, 2019, that halted portions of its business for weeks, its parent company, Finablr, said. Hackers demanded $6 million, BBC News reported.
Rising Trend in Double Ransoms
Carnival, CWT, Garmin, and Travelex have said little about the nature of the attacks. So it’s hard to know if the travel sector at large has any common vulnerabilities.
The severity of attacks has been on the rise. While ransomware has been around for at least seven years, the recent attacks have raised the alarm among some experts because they increasingly include theft of sensitive data.
“Starting in November, they began using the threat of auctioning that data [to identity thieves] or publishing it as additional leverage to extort companies,” said Brett Callow, a threat analyst for Emsisoft, a cybersecurity company with an expertise in ransomware.
Hackers who download sensitive data can ask for a second ransom. They’ll threaten to publish the data unless a company delivers a payoff.
“Even if a company has backups and can recover its data that way, it still has got the problem of what to do about the stolen data,” Callow said.
None of the above companies have said if they paid ransoms. But other victims have paid up.
Take the case of Albany International Airport, about 160 miles north of New York City. In December 2019, hackers tapped into the airport’s systems through the maintenance server of its managed service provider, Logical Net, which helped host some of the airport’s systems in the cloud. Some of the airport’s critical systems froze, and it couldn’t access backup files.
To solve the problem quickly, the airport paid a ransom of “under six figures.” An insurer reimbursed part of the ransom payment, and the airport also sought compensation from Logical Net.
Insurers may be fueling an “extortion economy” by reimbursing ransom payments to criminal groups, according to a report last year by the investigative news organization ProPublica. Some insurers see the payoffs as cheaper than reimbursing policyholders for lost revenue while negotiations drag on.
“Bad actors actually offer quite good customer service, some of them,” Callow said. “Guaranteed turnaround times for the supply of decryption tools. Polite negotiations. Better service than you may get from some government departments for sure.”
A Temptation to Give in to Extortion
Ransom payments can backfire.
“Companies are paying for a pinkie promise from a bad actor that the stolen data will be destroyed,” Callow said.
A survey of about 1,200 information security professionals by security company CyberEdge found that a majority of companies paid a ransom, but criminal groups in a significant number of cases failed to restore systems and data fully.
Precautions to Take Against Ransomware
Ransomware is often preventable, experts said.
“When did you last hear about a bank or a wing of a national government being hit?” Callow asked. “You usually don’t, and that’s because they generally have solid security in place.”
The problem is that bad actors appear to be getting savvier. Suppose that companies the size of Carnival, CWT, Garmin, and Travelex deployed standard antivirus software. In that case, one can deduce that hackers are finding ways to evade those defenses.
Some impartial advice on how to cope can be found in the U.S. Federal Bureau of Investigation’s advice to CEOs about how to address the ransomware threat, the “No More Ransom” website backed by Interpol (the International Criminal Police Organization), and a May report on ransomware from Interpol.
Remote Work Loopholes
No employee of a travel company we spoke with would go on the record to talk about the recent incidents. But some security experts pointed to some possible elements in the attacks.
Some bad actors appear to be exploiting glitches in the connections remote workers use to access company networks. The rise of remote work during the pandemic may have made such attacks easier.
Attacks on so-called remote desktop protocols accounted for a big chunk of ransomware attacks recently according to security company Coveware. A handful of hackers may instead be using virtual machines as a way to evade antivirus software.
Hostages to Fortune
Many travel executives would bet that it’s cheaper to pay ransoms than invest in preventive measures after passing a certain threshold on security spending. The question is how much security spending is reasonable.
Many company leaders may think they know the drill on cybersecurity. But some may have an outdated view on the risks of the next-generation of ransomware.
Vendors have an obvious self-interest in exaggerating threats to tout their wares. But a few best practices seem broadly plausible.
One precaution is to store full data backups off of a company’s network. Some of the recent incidents related to third-party vendors managing this service poorly.
Another cheap action is to make sure employees follow company security policies. Security spending is useless if workers take dangerous shortcuts.
A third solution that’s affordable but often neglected is for companies to watch their networks at all times and act quickly to a breach. Many cyber attacks involve a months-long gap between first entering a system and launching an attack as the perpetrators study a system’s weaknesses. Using a company’s existing antivirus measures to cut down such so-called “dwell time” can be cost-effective.
Many cost-effective actions can reduce the risk of suffering from ransomware attacks. But at the level of the entire travel sector, the key step is to make ransomware unprofitable.
“Ransomware continues to proliferate because companies continue to pay ransoms,” said Callow.
Skift Daily Newsletter
Get the travel industry’s daily must-read email 6 days a week
Photo credit: Illustration of computer hacking. Ransomware attacks on Carnival, CWT, Garmin, and Travelex suggest that the travel sector might be underestimating its security risk exposure. Adobe