Skip to main content
close search
site logo
Dive Brief

Travelex paid the ransom, breach investigation still underway: report

Published April 9, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Photo by Josh Appel on Unsplash

Dive Brief:

  • Foreign exchange company Travelex paid hackers about $2.3 million in ransom following a cyberattack on Dec. 31, 2019, The Wall Street Journal reported
  • Travelex was targeted by the Sodinokib, or REvil, ransomware. The company consulted with experts and "kept regulators and partners informed" during the transaction, according to the report. "There is an ongoing investigation ... and we will not be discussing this at this time," a Travelex spokesperson told CIO Dive in an email. 
  • When Travelex was first hit, it took down its websites globally to contain the spread of the virus. It took the company about a month to fully restore all websites. An investigation for a possible breach is still ongoing.

Dive Insight:

In early January, the hacker group told BleepingComputer it had encrypted Travelex's network and made copies of 5 GB of personal data. If Travelex didn't pay the ransom, they would publicly publish the data. 

REvil took note from other ransomware strains, namely Maze, publicly exposing encrypted data. The ransomware has top affiliates with GandCrab, after it "retired" in May last year. The ransomware-as-a-service model allows hackers to spread the virus any way they like, according to McAfee. 

When Sodinokib struck Travelex, the company was using insecure services, reported BleepingComputer. Pulse Secure VPN had a significant security patch issued last year. The vulnerability enabled remote connection to a corporate network without a username or password through the device with the VPN, according to the company's website

It's likely the cybercriminals were lurking on Tavelex's network before initiating their ransomware.

REvil started circulating in April 2019 and has since been behind cyberattacks on at least 23 Texas municipalities, 400 U.S. dentist offices and a managed service provider. When the strain hit an IT service provider for dentist offices in December, it infected more than 100 customers. 

The hackers have had a successful year. 

Economically, it can be more feasible to pay a ransom than to pay for a complete rebuild. However, that requires the victim to trust cybercriminals. 

Last month a medical research firm in line to work on vaccines for the coronavirus was hit by ransomware. The company "repelled" the attack and restored its systems on the same day. While Hammersmith Medicines Research was able to rebound from the ransomware, the attackers had a leg up. The attackers had stolen data and published it about a week later. 

It's also possible that during remediation, the victim could unintentionally erase forensic evidence that could indicate a data breach. Because some strains of ransomware are working in tandem with banking trojans, additional assessments are required to track any unlawful access to data.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Productboard Launches AI-Powered Productboard Pulse To Integrate Voice of Customer Into Produc…
From Productboard
October 29, 2024
Celonis Business Collaboration Networks Drive Process Improvement Across Company Boundaries
From Celonis
October 23, 2024
Cosentino Drives Business Transformation with AI Powered by Celonis Process Intelligence
From Celonis
October 23, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell