Foreign Exchange Company Travelex Hit by Sodinokibi Attack, Hackers Demand $6 Million in Ransom

Travelex, a UK-based foreign exchange company, had its operations disrupted after it got hit by a sophisticated ransomware threat. The attack took place on New Year's Eve when most of Travelex's employees were on holiday. The criminals responsible for the hack appear to be the rather prolific Sodinokibi group, aka REvil. The initial ransom amount was $3 million, but after two days without receiving payment, the sum got doubled to $6 million. The hackers also claim to have had access to Travelex's network for a period of six months, during which they were able to download 5GB of sensitive data, including customers' credit card details, national insurance numbers, and dates of birth. The Sodinokibi group has stated that it is prepared to sell the stolen info if Tavelex fails to pay the ransom within seven days.

This Week in Malware Ep2: Sodinokibi Ransomware is a Ransomware-as-a-Service

Travelex was forced to shut down its computer network in order to contain the spread of the malware. The company's websites across 30 countries were also taken down with visitors seeing a message for "planned maintenance" displayed on them in the days immediately after the attack. The ransomware attack has also had significant consequences for Travelex's partners that relied on the company for foreign exchange services. Among the affected organizations are banks such as Sainsbury's Bank, HSBC, Barclays, First Direct, Virgin Money, and Asda Money.

Travelex issued an official statement on January 7, a full week after the incident. In it, the company acknowledges that, indeed, some of their data has been encrypted with Sodinokibi, but they found no evidence that "structured personal customer data" had been encrypted. They couldn't find evidence that any data had been exfiltrated by the hackers, either.

Company Waited Months to Patch Critical Vulnerabilities

Security researchers pointed out the slow pace at which Travelex dealt with security issues found in the Pulse Secure virtual private network (VPN) servers its employees used to connect remotely to the central computer systems. The problems were severe enough for Pulse Security to issue an advisory notice as well as software patches to deal with them back in April 2019. Travelex, however, appears to have waited for eight months before finally patching their servers, which leaves plenty of time for the hackers to have exploited the vulnerabilities and gain access to the network.

Under UK law, organizations that become victims of a data breach have 72 hours to notify the Information Commissioner's Office (ICO) unless they believe that the data breach does not pose a threat to people's rights and freedoms. In that case, the organizations are required to maintain a record of the breach and have a legitimate explanation for why they didn't submit a report to the ICO. A company that fails to comply may suffer a maximum fine of 4% of its global turnover under the General Data Protection Regulation (GDPR).

Sodinokibi Took GandCrab's Place as Top Ransomware-As-A-Service

Sodinokibi has been active on the ransomware front since April 2019. The group emerged after the criminals behind the notorious GandCrab Ransomware announced that they are retiring after supposedly raking in millions in ransom payments. While it is not confirmed, many cybersecurity analysts believe that some of the people behind CandGrab operations may have moved on to Sodinokibi due to some striking similarities in the code of the two ransomware threats.

While threatening to release stolen data during several previous ransomware attacks, the Sodinokibi group had not followed through on their words so far. That all changed on January 10th when a representative for the hackers stated that they are starting to keep their promises and uploaded links to around 337MB of data in a post on a Russian hacker forum. The data is allegedly from Artech Information Systems, one of the largest IT-staffing companies in the world.

Travelex Issues Update on Its Recovery From the Attack

On January 12 Travelex published an updated statement on its sites. The company informed its customers and partners that it has successfully restored some of its internal and order processing systems. Their next step is to bring the systems responsible for processing "customers' order electronically within its partners’ and its own retail branch networks" back online. Furthermore, Travelex plans to release a recovery roadmap at some point in the following week.

Travelex also reiterated that no evidence for exfiltrated customer data has been found and that they are working with the National Cyber Security Centre (NCSC) and the Metropolitan Police in resolving the case. Customers who want to apply for refunds or discuss any issues are encouraged to contact the local customer service of the company.