Ransomware shuts down Travelex systems

Forex multinational Travelex has confirmed that the "software virus" that forced the company to take all of its systems offline is the REvil/Sodinokibi ransomware.

The ransomware attack took place on New Year's Eve, forcing Travelex branches to manually handle transactions as online services were suspended in order to contain the spread of the ransomware and to protect data.

Travelex says it has now restored a number of internal systems to normal operation.

The company said it has completed the containment stage of its remediation process, and that detailed forensic analysis is underway.

As of yet, Travelex does not have a complete picture of all the data that has been encrypted by the ransomware.

No evidence has surfaced so far that structured personal customer data has been encrypted, or exfiltrated.

This is in contrast with a report in Computer Weekly that alleged the criminals deploying the Revil/Sodinokibi ransomware had attacked servers storing sensitive, confidential information that included customer names and their bank account and transaction details.

Computer Weekly quoted from the ransom note left by the attackers which demanded payment in Bitcoin for a decryptor to recover the scrambled files.

It is understood that the ransom demanded is US$3 million and that the attackers have threatened to publish data they claim to have taken unless payment is forthcoming.

How the ransomware found its way to Travelex servers has not yet been disclosed, but Troy Mursch, chief research officer at security vendor Bad Packets said it notified the forex multinational in September of a serious vulnerability in its Pulse Virtual Private Networking servers. The vulnerability went unpatched until November.

Mursch said Bad Packets received no response to its report from Travelex.

Prior to that, security researcher Kevin Beaumont noted that Travelex was operating cloud instances of Windows Server on Amazon Web Services that had Remote Desktop Protocol (RDP) enabled and exposed to the internet, but with Network Level Access (NLA) control disabled.

An RDP flaw, known as BlueKeep, allows for full remote compromise of Windows without user interaction.

Travelex is currently operating in manual mode with banks like HSBC and Barclays unable to use the company's foreign exchange services.

“Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise," it said in a statement.

"We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused."

Travelex is in discussions with Britain's National Crime Agency and the Metropolitan Police, which have both launched criminal investigations into the attack, as well as with regulators in the markets that the forex dealer operates in.

Despite the attack closing down online systems, Travelex said it does not currently anticipate any material financial impact for its parent Finablr.