Getty Images

Don’t become the next Travelex: Get ready for ransomware

With Travelex’s IT still in disarray and banks and travellers left without access to funds more than a week after it was hit by a ransomware attack, we ask what others can learn from the foreign exchange services company’s response to the incident

This article can also be found in the Premium Editorial Download: Computer Weekly: How to avoid becoming the next Travelex

When Computer Weekly first reported that the systems of foreign currency exchange services provider Travelex were down following a hack on Friday 3 January, it seemed like just another ransomware attack, distinctive merely for being the first of many that we will report on in 2020. It wasn’t.

Over the weekend and into this week, it quickly became apparent that this was something more. Indeed, for Travelex, it has become the worst-case scenario. With retail banking customers shut out of the forex system, and thousands of business and leisure travellers unable to access funds, Travelex is haemorrhaging money and trashing its reputation.

Meanwhile, the as-yet unknown group responsible for infecting Travelex’s systems with Sodinokibi ransomware – usually spread through email in a PDF or .doc file – continues to increase its demands. At the time of writing, the cyber criminals were asking for over £4m – up from £2m a few days ago.

According to new reporting, the situation inside the firm is chaotic, with anonymous employees telling the BBC of a breakdown in leadership and communication within Travelex, which has been left shell-shocked by the attack.

It is, by now, abundantly clear that Travelex has failed to prepare for such an attack and, as such, innocent employees and customers are suffering the consequences.

So how do you prepare for ransomware?

Oven-ready response

If Travelex’s misfortune highlights one thing, it is the need to plan your response to a security incident from every possible angle. Obviously, this must be done ahead of time to avoid becoming the next high-profile victim, so now is as good a time as any to start, said Alan Stewart-Brown, vice-president of sales for Europe, the Middle East and Africa (EMEA) at Opengear.

“Best practice suggests you should have an incident plan in place before the incident, so you are ready to go if something happens. There should be a remediation plan in place so that the right people are doing the right things in real time,” he said.

Sam Curry, chief security officer at Cybereason, added: “If you haven’t been breached, you should think about what you’d do. And if you don’t know how, ask for advice, including from people who responded well.

“We like to spend a lot of time talking about budgets, product roadmaps, and so on, but as senior executives, we need to take time to evaluate what the risk is like if something happens. In the heat of the moment, you’ll have a fight or flight response, and you don’t want adrenaline to drive critical decisions as a company.”

Don’t panic!

It is important to remember that it is precisely this adrenaline-driven response that may lead to heat-of-the-moment actions, such as yanking the plugs out of your servers.

Such actions can have dire consequences. You risk destroying critical evidence that will help in the investigation or compromising data that will help you get up and running again quickly.

Stuart Reed, head of cyber security at Nominet, said panicked responses to security incidents come down to lack of preparation. “A lot of it comes back to understanding network visibility and where your data is,” he said. “Having holistic visibility of what’s going on in your network and what’s communicating with what is actually a really important part of understanding the health and risk footprint of the organisation.

“Having holistic visibility of what’s going on in your network and what’s communicating with what is a really important part of understanding the health and risk footprint of the organisation”
Stuart Reed, Nominet

“It’s something CISOs should be striving to understand, regardless of whether or not they’ve been breached. The more visibility you can create, the more you will be able to identify anomalies early on.”

Reed suggested a checklist that could form the core of a response plan and help you focus, rationally, on how to get through an incident. First, he said, you must understand what has been compromised and the likely impact, then understand what needs to be quarantined or shut down.

After that, it’s time to communicate to the business and activate a remediation plan, both technically and in terms of notifying those affected and, where appropriate, regulatory bodies and law enforcement.

At the same time, technical teams must be hard at work closing down the attack surface and locating and restoring from the backups you have made. Finally, you can begin work on making sure this doesn’t happen again.

Transparency and communication

Lewis Henderson, vice-president of threat intelligence at Glasswall Solutions, said a lot of Travelex’s problems could have been avoided if it had been more transparent and open about security incidents.

“Transparency is the new security,” he said. “That doesn’t mean telling the world what you use, but telling it what you do.

“Public communication [from Travelex] has been infrequent, backed up with vague, if not misleading, messaging. It took several days for the leadership to provide some form of clear public messaging”
Wicus Ross, SecureData

“Communication at all levels with all parties is the one thing we can be critical of. We’re not here to be overly critical of being the victim, but when you are, how you react and how you communicate to your staff, board and customers is critical.”

In this instance, Travelex’s response certainly left a lot to be desired. Wicus Ross, senior researcher at SecureData, said: “Public communication has been infrequent, backed up with vague, if not misleading, messaging. The message of ‘down for planned maintenance’ speaks to the latter statement. It took several days for the leadership to provide some form of clear public messaging.

“Even after that, official updates were lacking, with some external sources providing the only updates through what they claimed to be leaked sources. It is very likely that Travelex had private discussions with its business partners, but there was a clear lack of public guidance to put the average customer at ease. This erodes brand reputation and trust, further raising suspicion.”

Read more about ransomware

Cybereason’s Curry said that without being on the inside of the Travelex incident, it was impossible to say what is motivating the company’s obscurantist behaviour in response to the attack without speculating. But there are two reasons why organisations go quiet after a cyber security incident, he said.

The first, and more benign, reason is that it can be difficult to tell when a hack has happened, and to establish what is going on.

The second reason is that somebody might be attempting a cover-up or is afraid for their job. There is, incidentally, no suggestion that this has happened at Travelex.

“You should move in a timely manner,” said Curry. “Act transparently and act early. My advice to people who find themselves in Travelex’s situation is always to default to transparency.”

Metals supplier Norsk Hydro, which last year disclosed that it had fallen victim to a ransomware attack within hours of the event, serves as an excellent example of good response practice. Or as Curry put it: “Defaulting to transparency breeds long-term trust.”

SecureData’s Ross said there were clear lessons for Travelex, and everybody else, from the Norsk Hydro incident. “What stood out from the way Norsk Hydro handled the incident is the way the executives took control of the situation, especially the company’s messaging,” he said. “The communication was transparent, frequent and public.

“This allowed Norsk Hydro to show maturity and limit reputational damage while maintaining trust. The way that Norsk Hydro responded felt well executed, almost as if they have rehearsed it before. Procedures that normally govern such actions must already be in place beforehand, which shows foresight and due diligence.”

PR and media

Having a public relations and media strategy in place is also critical. In Travelex’s case, anonymous employees are now reaching out to media outlets themselves, and while this is good for journalism, it’s terrible for the organisation because it is losing control of the message.

Glasswall’s Henderson said that delivering a crisp, clear story to journalists is extremely helpful in shaping public perception of the incident.

“If Travelex had said, ‘We are experiencing an incident, we think it is ransomware, we are defending against it and trying to recover’, everybody would have had a different take on it,” he said. “You can use the media as a highly effective communication tool. Where people do go public, it ends speculation, it’s disarming.”

Henderson recommended that organisations put in place an internal and external communications playbook as part of their incident preparedness strategy.

CISOs must be adequately prepared to communicate messages both up to the board and down to employees, then outside to suppliers, partners, customers and journalists.

Maintaining open channels of communication is also important when rebuilding trust after a breach, said Andy Stark, cyber security director at Redmosquito.

“I would suggest Travelex will need to work very closely with a PR company and liaise with them to regain their public profile,” he said. “They’ll probably also need to work closely with HR in order to rebuild staff confidence.”

But, added Stark, in terms of historic hacks that have resulted in high-profile companies taking a reputational hit, they do recover quite quickly. After all, he said, people still use Equifax.

To pay or not to pay

Finally, the affected organisation must take the decision to pay or not to pay the ransom. This is a tougher decision than it might seem, even though most official guidance from law enforcement urges you not to pay.

“Yes, you’re funding the criminal underground, it’s heinous and horrible,” said Curry. “But say you’re running a medical centre and people might die because of the cyber attack. Then what do you do?

“Every victim is different, so set your policy now, decide your threshold, and what scale of loss is too much to bear. If lives are in the balance in a hospital facing a 50 grand ransom, then pay it.

“Decisions about risk have to be left to infected organisations until such time as the law says differently. It should be our job in cyber security to equip people to make the right decisions.”

Opengear’s Stewart-Brown took a similar stance. “It’s a dangerous thing to do,” he said. “Once you pay a ransom, it opens a can of worms and encourages criminals to do it again. My personal feeling is that Travelex should not pay, but I’m not the one who has to do the risk assessment as to what the damage will be to the business if it loses this data.”

“If Travelex had had a plan and had rehearsed it, they could have been back up and running within 24 hours. So if you’re in a situation where you are prepared and can recover, why would you pay a ransom?”
Lewis Henderson, Glasswall Solutions

Glasswall’s Henderson acknowledged that paying a ransom is risky, but pointed out that having a robust incident plan in place will actually help you make your mind up.

“If Travelex had had a plan and had rehearsed it, they could have been back up and running within 24 hours,” he said. “So if you’re in a situation where you are prepared and can recover, then why would you pay a ransom?”

But Nominet’s Reed is firmly in the ‘never pay’ camp. “Quite simply, don’t do it,” he said. “Firstly, it sends out a message that you are potentially a lucrative target, and secondly, there’s no guarantee that you’ll get the data back.

“These aren’t goods and services that Travelex is being offered by a legitimate entity. They are criminals looking to extort money, so no, absolutely, my advice would be do not pay the ransom.”

Next Steps

FBI IC3 report's ransomware numbers are low, experts say

Read more on Data breach incident management and recovery