Getty Images
Cyber gangsters demand payment from Travelex after ‘Sodinokibi’ attack
Cyber criminals are demanding payment to decrypt Travelex’s computer files after a devastating malware attack. New questions have been raised about the security of Travelex’s computer network after it emerged the company waited eight months to patch vulnerable VPN servers
Foreign exchange company Travelex is facing demands for payment to decrypt critical computer files after it was hit by one of the most sophisticated ransomware attacks, known as Sodinokibi, which disabled its IT systems on New Year’s Eve.
The company, which has operations in 70 countries, has faced days of disruption after criminal hackers penetrated its computer networks and delivered a devastating attack timed to hit the company when many of its staff were on holiday.
According to security specialists, criminals are demanding a six-figure sum to supply Travelex with decryption tools that will allow it to recover the contents of files across its computer network that have been encrypted by the virus.
The Metropolitan Police Service’s cyber crime unit began an investigation when Travelex reported the breach two days after the ransomware infected the financial services company’s networks.
The Met said in a statement: “On Thursday 2 January, the Met’s cyber crime team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing.”
Travelex, owned by Abu Dhabi financial services group Finabir, has fallen victim to one of the most sophisticated cyber extortion rackets.
Sodinokibi, also known as REvil, appeared in April 2019, offering criminal gangs the opportunity to rent the ransomware and customise it to target their own victims in return for a cut of the profits. Some criminal groups have links to Syria and Iran, according to research by McAfee.
Hackers demand decryption ransom
The disclosure comes amid new evidence that Travelex took eight months to patch computer servers containing a critical security vulnerability after the problem was first disclosed by security researchers, leaving its networks vulnerable to attacks from cyber criminals.
The malware struck Travelex, which has 1,200 branches worldwide, in the early hours of 31 December 2019, when it encrypted critical business files and left readme documents on infected computers.
The readme files instructed Travelex to pay a ransom in bitcoin through a website with a top-level domain registered in China in March 2019.
“It is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities – nobody will not co-operate with us. It is not in our interests,” the readme file read.
“If you do not co-operate with our service – for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.”
The hackers instructed Travelex staff to use the secure Tor browser to visit a website which appears to be hosted in a datacentre in Colorado, US. The website prompts users to enter a long pass key that will unlock instructions on how to pay a ransom to release decryption tools.
The attack resulted in at least 20 Travelex websites in different countries becoming inaccessible and left its outlets in airports and other retail sites without access to the internet or email or Travelex’s IT systems, as the company shut down systems to prevent the spread of the virus.
People familiar with the attack told Computer Weekly that computers containing confidential information, including names of clients and bank account and transaction details, had been infected by Sodinokibi, which adds a random character string to the end of each encrypted file.
The attack has also disrupted banks, including Sainsbury’s Bank, Barclays, HSBC, Virgin Money, First Direct and Asda Money, along with others that rely on Travelex to provide their foreign exchange services.
Travelex staff have been forced to record transactions manually, and are unable to take card payments for foreign currency or deliver pre-ordered currency to travellers who had pre-ordered it for collection.
Customers have complained they have been unable to top up their Travelex currency cards, confirm transactions have taken place, check balances or use the Travelex app.
Kent-based photographer David Milne told Computer Weekly on 5 January that he was still waiting for Travelex to deliver £500 by a money transfer that was due on 1 January.
“I assume the funds are in limbo, but no one can seem to shed any light,” he said.
Travelex slow to patch critical servers
Computer Weekly has established that Travelex had waited for eight months to patch critical security weaknesses in the Pulse Secure virtual private network (VPN) servers it uses to provide employees with remote internet access to its central computers, leaving the company’s networks vulnerable to access by cyber criminals.
Security researchers reported that Pulse Secure VPN services contained bugs that could allow people to gain covert access to a company’s network, prompting Pulse Secure to issue an advisory notice and software patches to correct the problem in April 2019.
Security company Bad Packets sent emails to thousands of companies with vulnerable Pulse Secure VPN services, after identifying that hackers were attempting to exploit the vulnerabilities.
It warned Travelex on 13 September that it had seven unpatched Pulse Secure VPN servers in Australia, the Netherlands, the UK and the US, with vulnerabilities that could allow attackers to access its networks, but received no response.
In early October, the UK’s National Cyber Security Centre (NCSC), part of GCHQ which advises businesses on cyber security, and the US National Security Agency, issued an alert warning that cyber criminals were attempting to infiltrate organisations worldwide through vulnerabilities in Pulse Secure and other VPNs.
“This activity is ongoing, targeting both UK and international organisations. Affected sectors include government, military, academic, business and healthcare,” the NCSC warned.
“Users of these VPN products should investigate their logs for evidence of compromise, especially if it is possible that patches were not applied immediately after their release.”
Analysis by Bad Packets shows that Travelex did not patch the servers until early November 2019, leaving a critical window in which the servers were vulnerable to attack.
Troy Mursch, chief research officer at Bad Packets, said it was possible that hackers could have gained access to Travelex before it patched its servers.
“I don’t want to speculate too much, but once someone has compromised a network and gained a foothold inside, they could activate [malware] at any time,” he said. “This is not a case where a company had one VPN server – they had multiple gateways inside their corporate networks.”
Travelex remote desktops vulnerable
According to researchers at McAfee Labs, cyber attackers use a variety of techniques to plant Sodinokibi on targeted computer networks. These include targeted phishing email attacks and exploit kits – compromised websites used to spread malware.
The majority of attacks, however, start by hackers targeting Microsoft’s Remote Desktop Protocol (RDP), which allows IT services engineers remote access to Windows machines.
Kevin Beaumont, security specialist
According to Coveware, a company which specialises in negotiating ransom payments with cyber criminals, any company using RDP is “playing roulette with Ransomware”.
RDP has become a common attack vector used by hackers to sidestep endpoint security and makes penetrating portioned networks and backup systems simple. It is “the perfect access point for planting malware”, it says.
Security specialist Kevin Beaumont told Computer Weekly that Travelex had allowed RDP to be accessible from the internet, without using network-level authentication, which provides a layer of security.
This meant it would be possible for hackers to access the login screens of computers on Travelex’s network and to use “brute force” software to guess passwords.
“Exposing Remote Desktop [Protocol] directly to the internet is not a recommended practice, as it allows attackers to repeatedly try different passwords to gain access. Typically, you will receive thousands of login attempts every hour like this – sooner or later, attackers will gain access,” he said.
Remedial action
Travelex said it had deployed teams of IT specialists and external computer security experts, who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems. It has declined to say whether it will pay the ransom.
Raj Samani, McAfee
Raj Samani, chief scientist at McAfee, said it may be possible for companies to identify Sodinokibi attacks early and close the door, but once they have received a ransomware note it is more difficult for them to recover.
Once inside a network, hackers may delete logs to cover their tracks and develop other ways to gain access to networks, even if companies patch vulnerabilities.
“If they have access to [Microsoft] Active Directory, it means they have the keys to your castle. They have got admin rights. They have got multiple entry vectors,” he said.
“Paying the ransom is only the top of the iceberg, because it is at this point you are going to have to figure out whether you can recover the systems. There have been companies that have had to rebuild their entire networks.”
‘Planned maintenance’
Last night, one week after the virus infection, Travelex websites in 20 countries in Europe and the Middle East remained inaccessible.
Visitors to Travelex’s websites in Europe, including the UK, Germany and France, were greeted with notices that services were unavailable because of “planned maintenance”.
Other Travelex websites, including those in Italy and Bahrain, reported that services were temporarily unavailable while Travelex makes improvements.
Visitors to the Canadian site were told that the Travelex was 'excited' about a planned redesign of its website and apologised that it was temporarily unavailable “before the big reveal”. Websites in New Zealand and Turkey returned application errors.
Update: On 7 January, Travelex added a notice to its US company website site disclosing the security breach to its customers.
Additional research by Matt Fowler.
This story was updated with additional information on 7 January 2020.
Travelex customers left in limbo
Travelex customers took to social media to complain that they had been left in limbo by the cyber attack against Travelex, writes Julia Gregory.
One customer tweeting as Benjamin Rice said he had dollars on order and was struggling to get them. “Hi I have tried to use your website over the past couple of days to order/collect some dollars for collection on Monday, but there seems to be a permanent runtime error on the page. Is there an issue? Can I order another way to guarantee the best rate?”
Auckland-based recruitment company manager Matt Bartlett tweeted about the problems he experienced over missing money. Travelex asked him to contact them privately to resolve the issue.
Cezz Pulvinar tweeted that she was inconvenienced by the malware attack and planned to exchange cash when she arrived at her destination. Tweeting as @MissVee0412, she said: “Had to spend double the amount to get cash as I can’t have my refund now – ordered and paid online. Some people prefer cash than card.” She added that: “All systems crash/many get hacked but it’ll be nice for everyone to find out earlier on! I hope you fix the problem soon!”
Nick Meiris contacted Travelex to find out how he could check the balance on his account, as by 3 January: “I’ve been unable to check for 3 days now and it’s becoming a bit of a joke and starting to impact my holiday...” The company directed him to a weblink to help him keep a track on his holiday money.
Travelex said it was using external IT security experts, as well as deploying its own teams, to try to crack the problem quickly. It said they had been “working continuously since New Year’s Eve to isolate the virus and restore affected systems”.