Lenders including Barclays, HSBC, Royal Bank of Scotland and Virgin Money had to stop foreign currency services after exchange provider Travelex was hit by a ransomware gang, according to reports on Thursday (Jan. 9).
The attack occurred on New Year’s Eve. On Jan. 2, Travelex took to Twitter and admitted to a “software virus.”
The hacker gang Sodinokibi, also known as REvil, reportedly demanded $6 million in return for encrypted customer data. Travelex said it had contained the ransomware and investigations show that customer data was not compromised.
“We have now contained the virus and are working to restore our systems and resume normal operations as quickly as possible,” the company said in a statement. “Travelex’s network of branches continue to provide foreign exchange services manually.”
Travelex, owned by the Abu Dhabi-based financial services group Finablr, serves over 70 markets. The company is now using pen and paper to serve customers at its 1,200 worldwide terminals, many of which are in airports.
The readme file for the ransomware, obtained by Computer Weekly, said, “It is just business. We absolutely do not care about you or your details, except getting benefits. …. If you do not cooperate with our service – for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice, time is much more valuable than money.”
A criminal investigation led by London’s Metropolitan Police is underway, and the Financial Conduct Authority (FCA) has been in contact with Travelex to ensure that affected customers were being treated fairly. The National Cyber Security Centre said it was providing technical support.
Sodinokibi first came on the scene in April 2019 and reportedly offered criminal gangs the opportunity to rent and customize its ransomware in return for a percentage of the profits. Some criminal groups have links to Syria and Iran, according to research by McAfee.
Sodinokibi usually attacks through the victims’ systems or suppliers, with outsourced IT service providers being especially vulnerable. Cyber insurance insiders believe Sodinokibi was spawned by the same hackers who created the ransomware GandCrab that struck last year. The GandCrab bug was also put up for sale on the dark web to spread the attacks.