Travelex Facing Ransom Demand After Attack

The website of foreign currency seller Travelex continues to unavailable after a devastating ransomware attack on Tuesday 31 December (New Years Day).

When Travelex first confirmed the attack on 3 January, it remained tight lipped about the exact details, and only confirmed that the attack involved a virus. Security experts at the time were quick to speculate the currency service provider had suffered a ransomware attack.

And now the company has confirmed in a statement that ransomware is to blame for its website still being offline more than a week later, with some media reports suggesting the firm is facing a ransom demand as high as nearly £5 million, and a deadline has been set for payment.

Ransomware attack

Travelex stated that while the investigation is still ongoing, it has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil.

“Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful,” it said. “To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.”

However it cautioned that it does not yet have a complete picture of all the data that has been encrypted, but there is still no evidence to date that any data has been exfiltrated.

Travelex said that it is conducting a detailed forensic analysis and is now also working towards recovery of all systems.

“To date Travelex has been able to restore a number of internal systems, which are operating normally,” it said, “The company is working to resume normal operations as quickly as possible and does not currently anticipate any material financial impact for the Finablr Group.

“Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise,” explained Tony D’Souza, chief executive at Travelex.

“We take very seriously our responsibility to protect the privacy and security of our partner and customer’s data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused,” said D’Souza. “Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim. We are working tirelessly to bring our systems back online.”

It said it is liaising with the National Crime Agency (NCA) and the Metropolitan Police, who are conducting their own criminal investigations.

Ransom demand

Meanwhile the ransomware gang Sodinokibi told the BBC it is behind the hack and wants Travelex to pay $6m (£4.6m).

The gang claimed that they have gained access to the company’s computer network six months ago and have downloaded 5GB of sensitive customer data.

Dates of birth, credit card information and national insurance numbers are all in their possession, they alleged.

“In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the hackers reportedly told the BBC. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

Travelex warned

But security experts have weighed in the attack, with some lambasting the firm for a lack of training and others calling for it to be more open about the situation.

Even worse, the firm was apparently warned its services were vulnerable before the attack.

“Being forced to use pen and paper must feel more like 1920 than 2020,” said Jake Moore, cyber security specialist from ESET. “The knock on effect from this particular attack is possibly the more poignant and interesting part of the story.”

“Rarely do we see so many third parties affected or even knocked out by such a situation,” said Moore. “As other banks have now had repercussions, it suggests that Travelex may not have tested a ransomware simulation which can be extremely valuable to a company.”

Another expert noted the impact this attack will be having on Travelex partners and customers.

“The lifeblood of Travelex’s business is undoubtedly its ability for partners and customers to have access to their online travel services, and every minute their systems are locked and offline their business is suffering,” said Sam Curry, chief security officer at Cybereason.

“Details are scant at this time, but this is an early 2020 wake up call to all organisations to maintain regular and constant backups of important files and consistently verify that the backups can be restored,” said Curry. “Organisations should also educate their employees on refraining from downloading pirated software or paid software offered for ‘free,’ as humans are the single biggest asset cyber criminals have in extorting money from businesses.”

Another expert explained why this attack has turned into the worst case scenario for a ransomware attack, made worse by reports that Travelex had been warned beforehand that it was running vulnerable services.

“The ongoing attack against Travelex is arguably the worst case scenario for how crippling ransomware can be,” said Stuart Reed, VP of cyber security at Nominet.

“Not only is Travelex itself affected, having to close its website across 30 countries for over a week,” said Reed. “This attack has also brought much of its partner ecosystem – including HSBC, Barclays, Sainsbury’s Bank, and Virgin Money – to a grinding halt. If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise.”

“Travelex has faced criticism for its public acknowledgement of the attack, with its website initially reporting that it was down for ‘planned maintenance’ and reportedly it was also made aware that it was running vulnerable services in September by a security researcher and the NCSC,” said Reed.

Another security expert urged Travelex not to pay the ransom.

“The best we can hope for here is that Travelex don’t pay the ransom,”said Chris Boyd, lead malware analyst at cybersecurity firm Malwarebytes. “Paying up is no guarantee in a straight blackmail case, and the attackers are fully at liberty to release the files after payment or simply vanish.”

“On a similar note, recent changes to certain forms of ransomware mean paying up may not help as encrypted files can be damaged during the decryption process,” Boyd added. “However, these attacks take hold, it’s in everyone’s interest not to encourage the culprits to continue breaching networks.”

Finally, another expert urged Travelex to be open and honest with its customers.

“For most businesses, data is its most valuable asset so maintaining its security must be a business imperative,” said Rachel Aldighieri, managing director of the Data and Marketing Association (DMA).

“If there is any potential breach that puts consumers’ personal information at risk, customers must be informed promptly by clearly communicating how they could be affected and how the organisation intends to rectify the situation,” said Aldighieri.

“Consumer trust in how organisations collect, store and use data is fundamental to a data-driven economy,” she said. “Not only does trust help businesses to build sustainable relationships with customers, it can influence consumers’ willingness to share data in the future.”

Do you know all about security? Try our quiz!