travelex

We have all seen it on the news, Travelex were reportedly hacked on New Year’s Eve (2 weeks ago today) and are being held to ransom by a criminal ransomware gang known as ‘Sodinokibi’. The company is still working to get back its systems after 2 weeks, resorting to pen and paper in most of its 1200 branches. It seems clear that Travelex does not intend to pay the ransom and claiming that no customer data has been compromised despite the gang claiming to have downloaded sensitive customer data.

How did this happen?

Most are familiar with Ransomware, essentially it is malware which enters a network and encrypts the files on that network rendering them useless in the hope that a ransom is paid and the decryption key is provided in return, though don’t always bank on an honest transaction! We have seen this many times in particularly the Wannacry cryptoworm of 2017 which attacked Microsoft Operating systems. Microsoft had released a patch to prevent this however most users typically hadn’t installed it and so were at risk of being infected, equally Windows XP was vulnerable as it was no longer supported in much the same way that Windows 7 is no longer supported from today (14th January 2020) and no further patches are available.

How was Travelex Different?

Travelex were warned by a security researcher back on 13th September 2019 that they had insecurities in their Virtual Private Network (VPN) in particularly their Pulse Secure VPN Servers but that appears to have been ignored!  The issue however starts 7 months previous to this when Pulse Secure identified a vulnerability and released a subsequent patch but clearly this was not applied by Travelex. It is reported that the ‘Sodinokibi’ gang have had access into Travelex network for the last 6 months, no doubt watching and gathering data ready for the attack, this was certainly a planned and well executed ransomware attack.

Could it have been avoided?

YES without a shadow of doubt. Hindsight is a wonderful thing but Travelex IT Security didn’t miss a security patch by a few days but by several months! Regular patching of endpoints is essential, IT Security is critical, this is/was a major worldwide financial business.

Will they recover?

Good question! After 2 weeks they haven’t recovered, all servers are unavailable, branches are using pen and paper, it’s a disaster! Perhaps Travelex intend to pay and hopefully get their files back? A company like Travelex should have substantial Disaster Recovery plans and should be able to restore from backup however its likely, given the time that has now passed and the size of the attack that backups are also encrypted. As for company reputation, well its shot!

No matter how small or large your business is, do not think that you cannot be affected by Ransomware, do not ignore IT Security risks, protect your network endpoints

travweb