Foreign currency exchange provider Travelex is reported to have paid $2.3 million in bitcoin to restore its network after hackers launched a ransomware attack against the company Dec. 31.

The Wall Street Journal reported today that Travelex decided to pay the 285 bitcoin ransom to the REvil ransomware gang on the advice of experts. REvil had threatened to publish the personal data of Travelex’s customers if the ransom wasn’t paid.

Travelex noted that U.K. law enforcement was still investigating the case but declined to comment further.

REvil, also known as Sodinokibi, is a ransomware gang that was first identified in April 2019. It was first detected exploiting a Windows vulnerability before going on to attack broader targets. Some of its victims include data center provider CyrusOne Inc. and Pulse Secure VPN.

Paying a ransom to ransomware attackers is a contentious issue. Travelex itself didn’t help matters by first claiming that it had only been struck by a “software virus” and said in a public statement on Twitter that “our investigation to date shows no indication that any personal or customer data has been compromised.”

On Jan. 7, REvil went public with its ransom demand, saying that it would disclose the details of Travelex customers. “In the case of payment, we will delete and will not use that [data]base and restore them the entire network,” the group said. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

That Travelex paid $2.3 million in bitcoin is proof enough that the company most likely lied about customer data not being compromised.

Alan Woodward, a cybersecurity professor at the University of Surrey, told the Journal that if someone pays a ransom, they get put on the list of payers. “You are one of those that’s most likely to pay up,” he said. “That makes you a target for everybody else.”

Travelex is not alone in deciding to pay a ransom demanded in a ransomware attack. In an interesting demonstration of democracy, the Florida city of Riviera Beach, 50 miles north of Fort Lauderdale, voted unanimously to pay a ransom to resolve an attack that started in May.

Photo: Ralf Roletschek/Wikimedia Commons