Currency Exchange Travelex Held Hostage by Ransomware AttackSodinokibi Group Demanding Millions in Ransom
A ransomware attack has held London-based foreign currency exchange firm Travelex hostage since at least New Year's Day, the company confirmed Tuesday after more than a week of vague updates. It appears that the Sodinokibi gang is behind the incident.
See Also: Ransomware Recovery in the 'New Normal'
On Tuesday, the BBC first reported that the Sodinokibi gang, which also goes by the name REvil, claimed to have accessed Travelex's network six months ago and had downloaded and then encrypted about 5GB of sensitive customer data, including dates of birth as well as payment and credit card data.
In addition, cybercriminals are asking for approximately $6 million in ransom to release the data, the BBC reports. The ongoing attack has crippled Travelex's websites in the U.K., the U.S. and Asia. Since New Year's Day, customers have been greeted with vague messages that claim the sites are down due to "planned maintenance."
Travelex is a London-based foreign exchange firm that has over 1,000 stores and 1,000 ATMs in major transit points across 26 countries. It enables money transfer through cash or Travelex prepaid card. It also says it processes over 5,000 currency transactions every hour.
A Travelex spokesperson could not be reached for comment on Wednesday.
After nearly a week of vague customer updates, Travelex finally admitted Tuesday that it had been hacked by the ransomware gang. The BBC also reported on Tuesday that the criminal gang will double its demand in two days if it's not paid and has threatened to sell the data within a week if its demands are not met.
"Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated," according to a company update. "Travelex is in discussions with the National Crime Agency and the Metropolitan Police, who are conducting their own criminal investigations, as well as its regulators across the world."
The attack has meant that Travelex has been forced to resort to manual measures for carrying out its business. This has affected banks that include Tesco, HSBC, Sainsbury's Bank and Virgin Mone, which use the Travelex's third-party currency exchange services.
Company's Response Criticized
Over the last seven days, Travelex's response to the ransomware attack has been criticized by security professionals due to the company's lack of clear messaging to customers whose data may have been affected.
If Travelex had been transparent with customers from beginning, the story would barely have made a blip in the media as cybersecurity issues happen.— Kevin Beaumont (@GossiTheDog) January 8, 2020
I think it's a good learning point for other organisations around incident response - maybe the age of transparency is upon us.
As of Wednesday, the Travelex website remained down, with only the company's press statement accessible.
Over the last week, security experts such as Kevin Beaumont have been warning that the Sodinokibi ransomware gang has been targeting unpatched Pulse Secure VPN servers for some time. While fixes for the flaws have long been available, at least several thousand internet-connected servers remain unpatched, according to Beaumont (see: Patch or Perish: VPN Servers Hit by Ransomware Attacker).
ComputerWeekly reports that Travelex had seven Pulse Secure VPN servers - in Australia, the Netherlands, the U.K. and the U.S. - that the company appears to have failed to patch against one of these flaws, called CVE-2019-11510, until November.
If the BBC report is accurate, the Sodinokibi ransomware gang penetrated the network several months before the patch was applied to the servers that Travelex uses.
Sodinokibi Gang Reaping Higher Ransoms
Security firm McAfee has been tracing payments made to the Sodinokibi gang since April 2019. Researchers believe that the group benefits from each infection, which generates its own unique bitcoin wallet if victims pay, with the average ransom demand working out to about 0.45 bitcoin, worth $4,000 (see: Sodinokibi Ransomware Gang Appears to Be Making a Killing).
Sodinokibi affiliates keep 60 percent of every ransom payment, rising to 70 percent after they book three successful ransom payments, according to the McAfee report. The remaining percentage gets remitted to the actor or actors behind Sodinokibi. With the average ransom amount paid being $2,500 to $5,000, the Sodinokibi actor would typically receive $700 to $1,500 every time a victim pays a ransom.
Another report by ransomware incident response firm Coveware notes the ransomware-as- a-service groups increased ransoms demanded in the third quarter of 2019, when the average paid was $41,198, an increase of 13 percent vs. the second quarter and a nearly six-fold increase from the third quarter of 2018 (see: Ransomware: Average Ransom Payout Increases to $41,000).