UK’s Travelex hit by ‘big game’ REvil ransomware attackers

Patch your Pulse Secure VPN server.

ransomware breach hackers dark web
Getty Images

UK currency exchange service Travelex has revealed its systems have been encrypted by the REvil ransomware, also known as Sodinokibi. 

The operators of REvil have a reputation for demanding multimillion dollar ransoms from victims of its ransomware and in this case also claim to have stolen 5GB of data from Travelex, including customers’ dates of birth, credit card numbers and national insurance numbers. The attackers have threatened to sell or leak the data if Travelex doesn’t pay. 

According to the BBC, the hackers claim to have demanded Travelex pay $6 million. Assuming the data was breached, Travelex may also face a fine of up to 4% of global turnover under Europe’s General Data Protection Regulation (GDPR). 

Travelex took its website and computer systems offline on New Years Eve, initially stating the reason was routine maintenance. However, on Tuesday the company updated its homepage to state “some of its services” had been compromised by the Sodinokibi (REvil) ransomware. 

The company also said it hadn’t found evidence that any data had been stolen by hackers. 

“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated,” Travelex said. 

For now, the company has been forced to deliver services manually without automated computer systems. BBC and The Independent have reported accounts from Travelex customers who feel left out in the lurch by the company, stranded in foreign countries without cash they were supposed to receive from Travelex and its partners, such as Tesco. 

Travelex, which is owned by Finablr Group, said it does not expect the security incident to have a material financial impact to its parent company. 

REvil/Sodinokibi ransomware infections exploit Pulse Secure VPN flaw

It’s not clear how Travelex systems were compromised however UK security researcher Kevin Beaumont raised an alarm this week over a rise in REvil/Sodinokibi ransomware infections being carried out against vulnerable Pulse Secure VPN servers

Security firm Bad Packets has been tracking the number of endpoints exposed to critical vulnerabilities that Pulse Secure released patches for in April last year. The number of vulnerable Pulse Secure VPN servers has decreased from 14,500 in August, but an internet scan it conducted this January turned up 3,825 vulnerable VPN servers worldwide.

Beaumont noted that vulnerable Pulse Secure VPN servers are “super easy” to find using the Shodan Internet-device search engine and that the vulnerability was “incredibly bad” because a remote attacker without valid credentials could connect to a corporate network and disable antivirus and multi-factor authentication.   

The UK’s National Cyber Security Centre, the US National Security Agency and the US Cybersecurity and Infrastructure Security Agency (CISA) posted alerts over the Pulse Secure VPN flaws last October after detecting exploitation of them by state-sponsored hackers.       

REvil is bad news for organizations infected with the ransomware. Discovered in April last year, the ransomware has been used in attempts to extort managed service providers, over dozen Texas local governments, and over 400 US dentist offices.   

Ransomware attackers threatening to leak or sell stolen data in addition to encrypting files has become a growing trend in recent months. The gist of the approach is to ratchet up pressure on victims — many of which operate critical civil or business services — to pay the ransom demand. While hackers can create security and privacy problems for victims by leaking the data online, details allegedly stolen from Travelex could also have value on cybercrime forums. 

BleepingComputer reports that the operators of REvil/Sodinokibi posted a message on a cybercrime forum, claiming that if Travelex doesn’t pay up, they will sell the 5GB of information to other criminals. 

The site published a post from a REvil admin who uses the name “Unknown” claiming that each ransomware attack also involves copying commercial information from the target. Unknown wrote: “In the case of refusal of payment - the data will either be sold to competitors or laid out in open sources. GDPR. Do not want to pay us - pay x10 times more to the government. No problems.”

BBC reports that the UK’s Information Commissioner’s Office has not received a data breach report from Travelex. 

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?