Kenishirotie - stock.adobe.com
Cyber gangsters have stepped up the pressure on Travelex to pay a $6m ransom to decrypt the company’s data by issuing a new threat to sell personal data about its customers on the dark web.
The threat comes after a cyber crime group used sophisticated malware, known as Sodinokibi or REvil, to encrypt the currency exchange’s computer files, forcing the company to switch off its worldwide computer network.
Travelex, which has hired computer experts to investigate the incident, said on 9 January that it was making progress in bringing its systems back online and that there was “still no evidence to date that any data has been exfiltrated”.
The attack has disrupted Travelex operations for 10 days, leaving the firm’s customers unable to collect foreign currency orders, use the Travelex app, or pay for currency using credit cards. This has led to widespread complaints from customers.
Over a dozen banks, including the Royal Bank of Scotland, NatWest, First Direct, Barclays and Lloyds, which rely on Travelex to provide services, have also told customers they are unable to take orders for foreign currency.
The crime group has stepped up pressure on Travelex, which has operations in 70 countries, by threatening to sell personal data collected from the company, including credit card details, on a Russian cyber crime forum.
Travelex threatened on Russian crime forum
A post on Russian cyber crime forum Exploit on 7 January claimed that the criminals behind the Sodinokibi attack were poised to cash in by selling financial details, including the dates of birth, US Social Security numbers and credit card details of Travelex customers.
“We recommend that Travelex starts gathering money for payment, or DOB + SSN + CC will be sold to a relevant party,” it said.
The post was made by an individual using the pseudonym “UNKN”, or Unknown, who has previously used forums on the dark web to sell access to Sodinokibi ransomware to other criminal groups.
Previous posts from UNKN have correctly named other companies, including the US company CyrusOne, that were targeted by Sodinokibi.
Irina Nesterovsky, head of research for Israeli security company and specialist in darknet threat intelligence, Kela, which discovered the post, said evidence from underground forums strongly linked UNKN to Sodinokibi.
“There is a discrepancy between what Travelex is saying and what these guys claim. You can’t always rely on the predator of the criminal, but there is a high probability they are correct,” she said.
Irina Nesterovsky, Kela
The claims have been disputed by Travelex, which issued a statement saying there was no evidence that “structured personal customer data” had been encrypted, and no evidence to date that any data had been exfiltrated from Travelex.
Rise of ransomware as a service
Over 40 criminal groups, known as affiliates, use the Sodinokibi ransomware to attack businesses and government organisations around the world, raking in millions from organisations that have paid ransom fees.
The developers of Sodinokibi rent it out in a business model described as “ransomware as a service”, which offers customisable ransomware to criminal groups for a 30-40% cut of their profits, according to researchers at McAfee Labs.
UNKN first appeared on Exploit in July 2019, offering to supply customisable “private ransomware” written in the C programming language to a limited number of participants.
“Get ready for an interview and show evidence of the quality of the installations. We are not a test side, and the ‘learners’ and ‘I will try / I will try’ there is nothing to do,” it said. “No school emails.”
The post in Exploit, a dark web forum used to discuss, share and trade information on security vulnerabilities, data breaches and compromised databases and networks, said the group had been working on the software for several years, and was fully operational.
The software provided statistics of infections, a payment page which allowed victims to pay ransoms using the bitcoin cryptocurrency, and trial decoders to allow victims to decrypt sample files free of charge before agreeing to pay the ransom demanded.
UNKN said on 7 January that there were “no more places” on Sodinokibi’s affiliate programme and that no additional places were planned.
Travelex working to resume systems
Travelex said in a statement that it was conducting detailed forensic analysis of its computer networks and “working to resume normal operations as quickly as possible”.
The company said it did not currently anticipate any material financial impact for the Finablr Group, the Abu Dhabi-based company which bought Travelex in 2014.
Tony D’Souza, Travelex
Tony D’Souza, chief executive of Travelex, apologised to customers for the inconvenience caused by the attack.
“Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise,” he said.
“Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim. We are working tirelessly to bring our systems back online.”
The Sodinokibi attackers told the BBC that it was demanding a $6m ransom from Travelex to decrypt its data. The group claimed it gained access to the company’s computer network six months ago and downloaded 5GB of sensitive customer data, including dates of birth, credit card information and national insurance numbers.