Update: Hackers hold Travelex to ransom

News by Chandu Gopalakrishnan

The 31 December malware attack on UK-based currency exchange company Travelex turns out to be ransomware; foreign exchange services affected

Days after foreign exchange company Travelex ditched its computers (as reported by SC)  and went manual after a malware-attack, hackers have demanded ransom. 

SC Media UK today reported that critical security vulnerabilities in enterprise VPN software Pulse Secure is being used to deliver ransomware. Travelex was running seven unpatched Pulse Secure servers just before the incident.

The hackers -- a ransomware gang called Sodinokibi a.k.a. REvil --has demanded a £4.6m ransom and set a two-day deadline for either restoring the computer systems or preserving customer data, reported the BBC.

They claims to have entered the company's computer network six months ago and hold 5GB of sensitive customer data including dates of birth, credit card information and national insurance numbers, the report said

The UK Metropolitan Police is leading the probe on the issue, while the Information Commissioner's Office is yet to recieve a breach notification from the company, the report added.

Travelex network came under attack on New Year's Eve, following which the company took down its websites across 30 countries. The decision to go offline left the firms that use its services unable to sell currency online. 

It is a "precautionary measure in order to protect data and prevent the spread of the virus", the company tweeted on 2 January. Travelex did not acknowledge any ransom demand then and assured a customer in a reply tweet that the user data is safe.

The forex services of major financial business brands such as Barclays, First Direct, H&T Pawnbrokers, HSBC, Sainsburys, Tesco and Virgin Travel Money were affected after Travelex went offline, tweeted travel money exchange rates data compiler Touchtree.

The travel money section on the websites of Virgin Money, Tesco Bank and Sainsbury’s Bank website showed error messages, while First Direct, which is owned by HSBC, conceded that its forex services were not available due to the trouble at Travelex.

"The knock-on effect from this particular attack is possibly the more poignant and interesting part of the story. Rarely do we see so many third parties affected or even knocked out by such a situation," commented Jake Moore, cyber-security specialist at ESET.

"As other banks have now had repercussions, it suggests that Travelex may not have tested a ransomware simulation which can be extremely valuable to a company."

Being in this sector and the network of third-parties make such companies preferred targets, said ThreatConnect CEO Adam Vincent.

"Financial institutions are a lucrative target – they hold highly sensitive information and have a mandate to protect the personal information of their customers."

Even if any personal or customer data has not been compromised, the attack will still have serious consequences for the company and its reputation, especially as this is now the second security incident faced by Travelex recently, observed Will LaSala, director of security solutions at OneSpan.

"The best we can hope for here is that Travelex don't pay the ransom. Paying up is no guarantee in a straight blackmail case, and the attackers are fully at liberty to release the files after payment or simply vanish," said Chris Boyd, lead malware analyst at Malwarebytes.

Paying up may not help as encrypted files can be damaged during the decryption process, he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews