Attackers demand $3m amid Travelex ransomware attack

The firm has not paid the ransom as of yet but has been criticized for its public response.
7 January 2020

Travelex at Hong Kong International Airport. Source: Shutterstock

Foreign exchange company Travelex is being held to ransom by attackers who are allegedly demanding a sum of US$3 million to release the company’s database.

Travelex was forced to take down its website after Sodinokibi ransomware took hold on New Year’s Eve, which is thought to have been timed while many of the firm’s staff were on holiday.

Sofinokibi, or REvil, appeared in April last year, is ransomware that can be ‘rented’ and customized by criminals to target their own victims for a cut of profits.

Attackers claim that on payment of the ransom in Bitcoin (to a domain registered in China) they will restore either Travelex’s IT systems or preserve its customers’ data.

The attackers claimed in a readme file:

“It is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities – nobody will not co-operate with us. It is not in our interests.”

“If you do not co-operate with our service – for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.”

The attackers claim that if they don’t receive the ransom by an undisclosed deadline, they will release 5GB of customers’ personal information into the public domain, including social security numbers, dates of birth and payment card details.

Travelex’s websites across Europe, Asia and the US have been offline since December 21. As of today (January 7), visitors to Travelex.co.uk are met with a message stating the service is “temporarily unavailable due to planned maintenance.”

Travelex.co.uk claims its site is down for planned maintenance.

However, visitors to Travelex.com are met with a statement confirming “a software virus was discovered on New Year’s Eve” and that all systems were immediately taken offline as a “precautionary measure.”

The statement adds: “Our investigation to date shows no indication that any personal or customer data has been compromised.”

The company has said that its branches are able to continue offering foreign exchange services “manually”, however, a large network of other firms that rely on Travelex’s services, including Virgin Money and Sainsbury’s Bank, are also impacted as a result.

The Metropolitan Police is leading the investigation into the attack, and claims “enquiries into the circumstances are ongoing.”

While Travelex apparently not yet paid the ransom, its public response to the attack— particularly in regard to communication with customers— has been criticized.

“The public response from Travelex has been shockingly bad,” said security researcher Kevin Beaumont to BBC News.

“The Travelex UK website still only says ‘planned maintenance’, a week after the problems began – many customers will be completely unaware hackers gained access to their network, and allegedly their personal data,” he said.

“Travelex have a responsibility to clearly communicate with customers and business partners the gravity of the situation.”

Speaking to TechHQ, Chris Boyd, Lead Malware Analyst at cybersecurity firm Malwarebytes said: “The best we can hope for here is that Travelex don’t pay the ransom.

“Paying up is no guarantee in a straight blackmail case, and the attackers are fully at liberty to release the files after payment or simply vanish.”

Boyd also noted that recent changes to certain forms of ransomware mean paying up may not help as encrypted files can be damaged during the decryption process.

“It’s in everyone’s interest not to encourage the culprits to continue breaching networks,” he said.