Cyber criminals stalked Travelex before launching attack

Secretive group has threatened to delete the company’s data unless it is paid $6m

A passenger walks past a Travelex currency exchange at Manchester Airport in Manchester, Britain January 8, 2020. REUTERS/Phil Noble
Powered by automated translation

The cyber criminals holding foreign exchange giant Travelex to ransom are likely to have spent days inside the company’s computer network secretly preparing for an attack that has downed its systems for more than a week, security experts said on Wednesday.

A software virus known as Sodinokibi was discovered to have compromised the company’s systems on New Years’s Eve prompting the world’s largest independent foreign exchange business into a worldwide online shutdown.

Cybercriminals use ransomware to lock-up and potentially delete a targeted company’s data unless a payment is made. The BBC reported that the gang behind the attack on Travelex wants $6 million or the company would see its data deleted.

Cybersecurity experts were working this week to repair and rebuild its systems as UK police investigated the attack, the company said.

Sodinokibi – also known as REvil – first emerged in April last year and is believed to be a more powerful version of ransomware first developed by Eastern European cybercrime gangs.

A group who claimed responsibility for the Travelex attack told the BBC that it gained access to the computer network six months ago and has downloaded sensitive data including credit card information and customers dates of birth.

Travelex confirmed the attack on Tuesday and said that while some information had been encrypted by the criminal invaders there was “no evidence to date” that any customer data had been downloaded.

“Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful,” the company said in a statement. It said it was talking to regulators around the world.

Cybersecurity sources told the National that the ransomware was a relatively sophisticated new version used for targeted attacks rather than sending spam in the hope that a user would open infected attachments to trigger the attack.

“Bad guys get into the networks and spend time understanding the network and the environment to try to encrypt as much as possible,” the source said.

“If you’re the bad guy, you run the risk of discovery but want to spend enough time trying to work around this network to create the biggest impact. It’s likely to be a handful of days.”

The operation appears to have its roots in a previous ransomware programme, known as GandCrab, which was sold on to criminal groups from January 2018, according to technology news site ZDNet.

When it was shut down 18 months later, its creators announced their retirement and claimed that they had earned more than $2 billion in ransom payments that were laundered through legitimate businesses.

Cybersecurity sources told The National that the more advanced Sodinokibi ransomware was launched shortly after GandCrab was retired and showed similarities in coding leading researchers to believe that the same creators were involved.

Mike McLellan, director of threat research at Secureworks, said the source coding of Sodinokibi was controlled by a small group of operators.

“These operators create unique builds of the malware on behalf of their affiliates, who number between one and two dozen active at any point, who then distribute the malware,” he said.

It was then sold on with the key players behind the operation taking a percentage of the ransoms paid out, he said. He said it was not clear at this stage if the Travelex attack was waged by the core operators or an affiliate.

The success of ransomware relies on ill-prepared companies and individuals paying ransoms rather than losing data and systems that could take months to rebuild, researchers said.

Companies also face pressure to settle quietly or face fines from data regulators because of the loss of sensitive customer details.

Similar attacks to Travelex using different ransomware groups targeted British forensic research provider Eurofins Scientific last year and the shipping giant Maersk in 2017, which disrupted operations in four different countries costing it up to $300 million in disruption.

Travelex, which has more than 1,000 stores in 26 countries and processes 5,000 currency transactions every hour, took down websites across 30 countries in the wake of the attack.

Parent company Finablr said its six other brands, including the UAE Exchange and Xpress Money, are not affected.

Rob Pritchard, of The Cyber Security Expert which helps companies rebuild their systems after attacks, said previous incidents had highlighted how ill-prepared many businesses were to prevent ransomware attacks.

Rebuilding systems to prevent long-term reputational damage could involve repairing “ten years of work in a few days”, he said.

“Ransomware groups have moved from sending viruses via emails to being more capable making efforts to compromise an organisation. When they do turn on the ransomware, it’s pretty devastating.”

“As good and sophisticated as these attackers are, they rely on poor security.”