UPDATED 21:35 EDT / JANUARY 07 2020

SECURITY

Travelex hackers demand payment for stolen data following ransomware attack

More details have emerged surrounding the attack on foreign currency exchange provider Travelex Dec. 31, with confirmation that it involved ransomware and that those behind the attack are demanding a ransom payment of $6 million to delete stolen data.

The attack, now known to have involved the Sodinokibi (REvil) ransomware, was originally described by Travelex as a “software virus” that “compromised some of its services.” Those services included websites and online services in the U.K. as well as some services in other countries in which Travelex operates.

Travelex claimed that no personal or customer data have been compromised in the ransomware attack. Although that may be true, the Sodinokibi gang behind the attack claims to have stolen data from the company. The group claims to have 5 gigabytes of sensitive data that it had obtained six months ago in its possession, including dates of birth, credit card information and national insurance number details.

The hackers told the BBC Tuesday that “in the case of payment, we will delete and will not use that [data]base and restore them the entire network,” and that “the deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

Travelex hasn’t yet responded to the claim of stolen data. The U.K. Information Commissioner’s Office said it has not received a data breach report from the company. Under U.K. law, companies must inform the ICO of a data breach within 72 hours of becoming aware of it.

More details on how the group gained access to and successfully attacked Travelex are also coming to light. The attack is now believed to involve the exploitation of a vulnerability in the Pulse Secure VPN Enterprise solution. The vulnerability allows those without valid usernames and passwords to connect remotely to a corporate network. The vulnerability was patched in August but Travelex hadn’t deployed the patch to its network.

“Recently, we have seen the Sodinokibi ransomware variant become increasingly prevalent in Pulse Secure VPN vulnerability cases,” Jared Greenhill, director at digital forensics firm Crypsis Group ,told SiliconANGLE. “But it’s not only the frequency of cases that is at issue. The techniques and methods used across the range of ransomware criminal actors provide profound challenges of their own.

Greenhill said the hackers are using more sophisticated vectors to deliver it, such as defeating multifactor authentication protections and are going to “great lengths” to ensure they’re paid.

“This includes examples such as disabling backup systems, being unwilling to negotiate ransoms when they assume the company is able to pay the asking rate, and, in some cases, threatening to publish data if not paid in full,” Greenhill said. “While applying security best practices is highly recommended, threat actors are getting more sophisticated in working around protections and tools, making the fight against ransomware continually more difficult for organizations.”

Chris Morales, head of security analytics at threat detection firm Vectra AI Inc., also noted that any vulnerability in the remote access of a network is a big deal.

“I don’t know all the variables at play specific to Travelex, but it is a shame that vulnerability management and patching are still difficult to do,” Morales said. “I would not be surprised to hear of other uses. Leveraging existing remote access due to vulnerabilities or weak passwords has been behind a lot of the ransomware attacks in the past year, including the 22 local state governments in Texas.”

Photo: Ralf Roletschek/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU