- Foreign exchange company Travelex paid hackers about $2.3 million in ransom following a cyberattack on Dec. 31, 2019, The Wall Street Journal reported.
- Travelex was targeted by the Sodinokib, or REvil, ransomware. The company consulted with experts and "kept regulators and partners informed" during the transaction, according to the report. "There is an ongoing investigation ... and we will not be discussing this at this time," a Travelex spokesperson told CIO Dive in an email.
- When Travelex was first hit, it took down its websites globally to contain the spread of the virus. It took the company about a month to fully restore all websites. An investigation for a possible breach is still ongoing.
In early January, the hacker group told BleepingComputer it had encrypted Travelex's network and made copies of 5 GB of personal data. If Travelex didn't pay the ransom, they would publicly publish the data.
REvil took note from other ransomware strains, namely Maze, publicly exposing encrypted data. The ransomware has top affiliates with GandCrab, after it "retired" in May last year. The ransomware-as-a-service model allows hackers to spread the virus any way they like, according to McAfee.
When Sodinokib struck Travelex, the company was using insecure services, reported BleepingComputer. Pulse Secure VPN had a significant security patch issued last year. The vulnerability enabled remote connection to a corporate network without a username or password through the device with the VPN, according to the company's website.
It's likely the cybercriminals were lurking on Tavelex's network before initiating their ransomware.
REvil started circulating in April 2019 and has since been behind cyberattacks on at least 23 Texas municipalities, 400 U.S. dentist offices and a managed service provider. When the strain hit an IT service provider for dentist offices in December, it infected more than 100 customers.
The hackers have had a successful year.
Economically, it can be more feasible to pay a ransom than to pay for a complete rebuild. However, that requires the victim to trust cybercriminals.
Last month a medical research firm in line to work on vaccines for the coronavirus was hit by ransomware. The company "repelled" the attack and restored its systems on the same day. While Hammersmith Medicines Research was able to rebound from the ransomware, the attackers had a leg up. The attackers had stolen data and published it about a week later.
It's also possible that during remediation, the victim could unintentionally erase forensic evidence that could indicate a data breach. Because some strains of ransomware are working in tandem with banking trojans, additional assessments are required to track any unlawful access to data.