{"id":36371,"date":"2020-07-31T12:50:14","date_gmt":"2020-07-31T12:50:14","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/"},"modified":"2020-07-31T12:50:14","modified_gmt":"2020-07-31T12:50:14","slug":"first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/","title":{"rendered":"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#8217;t get the memo"},"content":{"rendered":"<p><strong class=\"trailer\">Exclusive<\/strong> US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.<\/p>\n<p>The attack hit the company a week ago, causing a shutdown of all systems while the infection was contained and dealt with.<\/p>\n<p>It appears that Carlson Wagonlit may have paid a ransom demand in excess of 400 Bitcoins, or $4.5m at current rates \u2013 a sum its $1.5bn annual revenues may have been able to absorb without too much trouble. A Twitter user <a target=\"_blank\" href=\"https:\/\/twitter.com\/JAMESWT_MHT\/status\/1288797666688851969\" rel=\"noopener noreferrer\">posted the first indication of a breach<\/a>, as well as the ransom, on Thursday:<\/p>\n<div class=\"CaptionedImage Center Border\" readability=\"7\"><a href=\"https:\/\/regmedia.co.uk\/2020\/07\/31\/cwtragnarlocker.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/regmedia.co.uk\/2020\/07\/31\/cwtragnarlocker.jpg\" alt=\"Twitter user @JAMESWT_MHT posted about Ragnar Locker hitting CWT on Thursday\" title=\"Twitter user @JAMESWT_MHT posted about Ragnar Locker hitting CWT on Thursday\" height=\"862\" width=\"618\"><\/a><\/p>\n<p class=\"text_center\">Twitter user @JAMESWT_MHT posted about Ragnar Locker hitting CWT. Click to enlarge<\/p>\n<\/div>\n<p>Malware analysis sites linked in the tweet showed that a sample of the ransomware was uploaded on Monday 27 July.<\/p>\n<p>Carlson Wagonlit, which recently rebranded itself CWT, provides travel and hotel booking services on what it calls a B2B2E basis \u2013 business to business to employee. Companies contract out the tedious parts of arranging corporate travel to CWT rather than doing it themselves. <i>The Register<\/i> understands that while CWT notified some of its corporate customers earlier this week, it also told them that individual travellers&#8217; data was not compromised \u2013 and that seems to be where the notification chain stopped.<\/p>\n<p>In a statement, the company told <i>The Register<\/i>:<\/p>\n<p>A spokesman referred us back to the prepared statement when we asked whether CWT paid the ransom and if so, how much. Regrettably, it seems the firm has joined the ranks of other multinationals paying off criminals, including, from the last month alone, <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/07\/27\/garmin_ransomware_recovery\/\" rel=\"noopener noreferrer\">navigation and fitness-tracking firm Garmin<\/a> and cloud <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/07\/17\/blackbaud_paid_ransomware\/\" rel=\"noopener noreferrer\">CRM purveyor Blackbaud<\/a>. Warnings that <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2018\/03\/09\/less_than_half_of_ransomware_marks_get_their_files_back\/\" rel=\"noopener noreferrer\">less than half of businesses paying ransoms don&#8217;t recover all of their data<\/a> are simply falling on deaf ears, as is the fact that paying these crooks simply sustains their business model and encourages them to continue their crime sprees.<\/p>\n<p>UK data watchdog the Information Commissioner&#8217;s Office said it had not yet received a breach notification from CWT, which has an extensive UK presence, adding that organisations must report breaches within 72 hours of becoming aware of them unless the breach does not appear to &#8220;pose a risk to people&#8217;s rights and freedoms&#8221;.<\/p>\n<p>Its published guidance states:<\/p>\n<p>It is thought that the nasty involved was Ragnar Locker. The ransomware, a relatively new strain first seen late last year, <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2020\/05\/22\/byovm_ransomware_in_virtualbox\/\" rel=\"noopener noreferrer\">deploys a Windows XP virtual machine onto the target network<\/a> in order to unleash the ransomware itself. According to Brit threat intelligence firm Sophos, typical attack vectors include poorly configured security controls around remote desktop services or supply chain attacks against managed service providers.<\/p>\n<p>Matt Walmsley, EMEA director of infosec biz Vectra, told <i>The Register<\/i>: &#8220;Ragnar Locker is a novel and insidious ransomware group, as Portuguese energy provider EDP found out earlier this year when they reportedly lost 10TB of private information to the ransomware operator. Mirroring the &#8216;name and shame&#8217; tactic used by Maze Group ransomware, victim&#8217;s data is exfiltrated prior to encryption and used to leverage ransomware payments. The bullying tactics used by these ransomware groups are making attacks even more expensive, and they are not going to stop any time soon, particularly within the current climate.<\/p>\n<p>&#8220;Ragnar Locker has also used service providers as a means to distribute their payload. These attackers will attempt to exploit, coerce, and capitalise on organisations&#8217; valuable digital assets, and now service companies, with their extensive number of tantalising downstream corporate customers, appear to have been targeted too.&#8221;<\/p>\n<p>Bert Stepp\u00e9, researcher in F-Secure&#8217;s Tactical Defence Unit, added: &#8220;Ragnar Locker is a relatively new ransomware family, used in targeted attacks. The ransom note is personalised for each victim. It was first observed in the beginning of this year, where it was deployed on vulnerable Citrix servers. The ransomware is still under active development, and the attackers are quite innovative to evade detection: in one known case, they have deployed a complete WinXP virtual machine to encrypt files on the host from within the VM.&#8221;<\/p>\n<p>Ragnar Locker is also said to hunt down and delete backups, related utilities and connected storage drives. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2020\/07\/31\/carlson_wagonlit_travel_ragnarlocker_ransom_paid\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>$4.5m may have gone into crims&#8217; pockets after bookings biz hit by Ragnar Locker nasty Exclusive\u00a0 US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":36372,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-36371","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#039;t get the memo 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#039;t get the memo 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-31T12:50:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"618\" \/>\n\t<meta property=\"og:image:height\" content=\"862\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#8217;t get the memo\",\"datePublished\":\"2020-07-31T12:50:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\"},\"wordCount\":714,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\",\"name\":\"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg\",\"datePublished\":\"2020-07-31T12:50:14+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg\",\"width\":618,\"height\":862},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#8217;t get the memo\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/","og_locale":"en_US","og_type":"article","og_title":"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-07-31T12:50:14+00:00","og_image":[{"width":618,"height":862,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#8217;t get the memo","datePublished":"2020-07-31T12:50:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/"},"wordCount":714,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/","url":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/","name":"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg","datePublished":"2020-07-31T12:50:14+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/07\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo.jpg","width":618,"height":862},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/first-rule-of-ransomware-club-is-do-not-pay-the-ransom-but-it-looks-like-carlson-wagonlit-travel-didnt-get-the-memo\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn&#8217;t get the memo"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/36371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=36371"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/36371\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/36372"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=36371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=36371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=36371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}