Cyber Criminals Demand Ransom From Travelex

Uploaded on 2020-01-07 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Transport & Travel, BUSINESS-Services-Financial

Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper. As a result, the company took down its websites across 30 countries to "contain the virus and protect data".

New questions have been raised about the security of Travelex’s computer network after it emerged the company waited eight months to patch vulnerable VPN servers.

Four days following the attack the company has now disclosed it is facing demands for payment to decrypt critical computer files after it was hit by one of the most sophisticated ransomware attacks, known as Sodinokibi.

The malware struck Travelex in the early hours of 31 December 2019, when it encrypted critical business files and left readme documents on infected computers.The readme files instructed Travelex to pay a ransom in bitcoin through a website with a top-level domain registered in China in March 2019. 

The attack has resulted in the Travelex websites in at least 20 countries becoming inaccessible and left its outlets in airports and other retail sites without access to the internet or email or Travelex’s IT systems, as the company shut down systems to prevent the spread of the virus.

Travelex
Travelex has operations in 27 countries and has faced days of disruption after criminal hackers penetrated its computer networks and delivered a devastating attack timed to hit the company when many of its staff were on holiday. According to security specialists, criminals are expected to demand a six-figure sum to supply Travelex with decryption tools that will allow it to recover the contents of files across its computer network that have been encrypted by the virus. 

The attack has also disrupted banks, including Sainsbury’s Bank, Barclays, HSBC, Virgin Money, First Direct and Asda Money, along with others that rely on Travelex to provide their foreign exchange services. Travelex staff have been forced to record transactions manually, and are unable to take card payments for foreign currency or deliver pre-ordered currency to travellers who had pre-ordered it for collection.

Customers have complained they have been unable to top up their Travelex currency cards, confirm transactions have taken place, check balances or use the Travelex app.

  • Travelex host the Virgin Money Travel Money site on behalf of Virgin Money as a third party supplier, this site is also not functioning while Travelex is not operating online. 
  • Sainsbury's Bank also said its online travel money services were unavailable, although it said customers could still buy travel money in its stores. In a statement to the BBC, the bank said: "We're in close contact with Travelex so that we can resume our online service as soon as possible."

Hackers Demand Decryption Ransom
Sodinokibi, also known as REvil, appeared in April 2019, offering criminal gangs the opportunity to rent the ransomware and customise it to target their own victims in return for a cut of the profits. Some criminal groups have links to Syria and Iran, according to research by McAfee.

The disclosure comes amid new evidence that Travelex took eight months to patch computer servers containing a critical security vulnerability after the problem was first disclosed by security researchers, leaving its networks vulnerable to attacks from cyber criminals.

The hackers instructed Travelex staff to visit a website, which appears to be hosted in a datacentre in Colorado, US, using the Tor secure browser, which prompts users to enter a long pass key that will unlock instructions on how to pay a ransom to release decryption tools.

Apparently computers containing confidential information, including names of clients and bank account and transaction details, had been infected by Sodinikibi, which adds a random character string to the end of each encrypted file.

Travelex was Slow to Patch Critical Servers 
Security researchers reported that Pulse Secure VPN services contained bugs that could allow people to gain covert access to a company’s network, prompting Pulse Secure to issue an advisory notice and software patches to correct the problem in April 2019. On 13 September, security company Bad Packets sent emails to thousands of companies with vulnerable Pulse Secure VPN services, after identifying that hackers were attempting to exploit the vulnerabilities.

It warned Travelex that it had seven unpatched Pulse Secure VPN servers in Australia, the Netherlands, the UK and the US, with vulnerabilities that could allow attackers to access its networks. 

Analysis by Bad Packets shows that Travelex did not patch the servers until early November 2019, leaving a critical window in which the servers were vulnerable to attack.

Travelex Remote Desktops Vulnerable
Researchers at McAfee Labs say that cyber attackers use a variety of techniques to plant Sodinokibi on targeted computer networks. These include targeted phishing email attacks and exploit kits, compromised websites used to spread malware.The majority of attacks, however, start by hackers targeting Microsoft’s Remote Desktop Protocol (RDP), which allows IT services engineers remote access to Windows machines.

According to Coveware, a company which specialises in negotiating ransom payments with cyber criminals, any company using RDP is ‘Playing roulette with Ransomware’. RDP has become a common attack vector used by hackers to sidestep endpoint security and makes penetrating portioned networks and backup systems simple. It is “the perfect access point for planting malware”, it says.

Remedial Action
Travelex said it had deployed teams of IT specialists and external computer security experts, who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems. It has declined to say whether it will pay the ransom. Raj Samani, chief scientist at McAfee, said it may be possible for companies to identify Sodinokibi attacks early and close the door, but once they have received a ransomware note it is more difficult for them to recover.

Once inside a network, hackers may delete logs to cover their tracks and develop other ways to gain access to networks, even if companies patch vulnerabilities.

“If they have access to Microsoft Active Directory, it means they have the keys to your castle. They have got admin rights. They have got multiple entry vectors,” Samani said. “Paying the ransom is only the top of the iceberg, because it is at this point you are going to have to figure out whether you can recover the systems. There have been companies that have had to rebuild their entire networks.”

'Planned Maintenance'
Currently Travelex websites in 20 countries in Europe and the Middle East remained inaccessible. Visitors to Travelex’s websites in Europe, including the UK, Germany and France, were greeted with notices that services were unavailable because of “planned maintenance”.

Other Travelex websites, including those in Italy and Bahrain, reported that services were temporarily unavailable while Travelex makes improvements. Visitors to the Canadian site were told that the Travelex was 'excited' about a planned redesign of its website and apologised that it was temporarily unavailable “before the big reveal”. Websites in New Zealand and Turkey returned application errors.

McAfee:         Computer Weekly:      BBC:      The Sun:        Coveware 1:      Coveware 2:         

You Might Also Read:

The Financial Services Industry Just Does Not Get It:

The BA Hack And How Not To Respond To A Cyber Attack:

 

 

« Cyber Spying For A Future War
Ten Predictions For Smart Cities »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

INCIBE-CERT

INCIBE-CERT

INCIBE-CERT is the reference security incident response center for citizens and private law entities in Spain

DataSunrise

DataSunrise

DataSunrise Data-Centric high-performance security software protects the sensitive data in real-time in cloud or on premises, and helps organizations to stay compliant.

GreatHorn

GreatHorn

GreatHorn offers the only cloud-native security platform that stops targeted social engineering and phishing attacks on communication tools like O365, G Suite, and Slack.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

Picus Security

Picus Security

Huge gaps often exists between the "perceived"​ and "actual"​ IT security level of an organization. Picus Security continuously assesses security controls and reveals deficient ones before hackers do.

ArmorText

ArmorText

ArmorText offers a seamless channel for communication and collaboration for organizations concerned with keeping communication data private and secure.

Labs/02

Labs/02

Labs/02 is a seed-stage incubator with a mission to advance cutting-edge technology in innovative areas including AI, deep learning, autonomous transportation, and smart cities.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

DataExpert Singapore

DataExpert Singapore

DataExpert Singapore provide solutions and services in the areas of Digital Forensics, Data Recovery, Data Duplication, Data Degaussing & Wiping, Data Destruction, and IT Disposal.

Qohash

Qohash

With a focus on data security, Qohash supports security, compliance and optimization use cases enhancing your risk management process.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

Anvilogic

Anvilogic

Anvilogic provides a unifying experience for security professionals aimed at providing improved visibility, enrichment, and context across hundreds of alerting datasets and security tools.

Analygence

Analygence

ANALYGENCE is your trusted partner for mission support, cyber solutions, and management services.

Check Point Software Technologies

Check Point Software Technologies

Check Point Software Technologies is a leading provider of cyber security solutions to governments and corporate enterprises globally.

ASRC Federal

ASRC Federal

ASRC Federal’s mission is to help federal civilian, intelligence and defense agencies achieve successful outcomes and elevate their mission performance.

Arms Cyber

Arms Cyber

Arms Cyber is redefining ransomware defense with advanced solutions that stop attacks before they start.