Foreign exchange service Travelex is being held to ransom by a hacking gang called "Sodinokibi," in an attack that experts say highlights the growing "professionalization" of cyber criminals.
Travelex, which is owned by London-listed, Abu Dhabi-based Finablr PLC, was infected with ransomware following an attack on Dec. 30 or Dec. 31, according to a BBC News report.
The criminal gang, who also call themselves REvil, told the BBC that they accessed Travelex's systems six months previously, and that they had downloaded and encrypted 5GB of sensitive customer data, including credit card information. They have demanded $6 million for the return of the data, according to the report.
The company confirmed in a Jan. 7 statement that it had been the victim of the Sodinokibi ransomware but said the virus was "contained." Travelex's customer-facing websites remained offline at the time of publication, but the company's service counters are still functioning, albeit with staff using pen and paper rather computers.
A weak spot in the armor?
The big question for the financial services industry, and regulators, is how the attackers managed to break into Travelex's systems in the first place.
Bad Packets, a Chicago-based company that provides intelligence on cyber threats, said the hackers might have taken advantage of a bug in the VPN software that Travelex was using.
Pulse Connect Secure VPN (the software that Travelex was understood to be using to allow remote employees and those using non-company-issued devices to log on to their systems securely) had a glitch that meant hackers could potentially get into users' systems, according to Troy Mursch, chief research officer at Bad Packets. Pulse released a patch to correct the issue in April after it identified the flaw in the product, but Travelex was among the companies that did not apply it, Mursch said in an email.
He said Bad Packets contacted Travelex on Sept. 13 to warn them of the threat but did not get a response.
"Travelex's Pulse Secure VPN servers were vulnerable to compromise any time between April and November 2019. Given the advisory from Pulse Secure in April and warning from Bad Packets in September, Travelex had plenty of time to secure their network infrastructure before they were compromised and unfortunately held hostage by ransomware," he said.
Pulse Secure admits that there was a flaw in the VPN software it sold, but publicly provided a patch fix on April 24, a spokesperson for the company said in an emailed statement.
"As of early January, the majority of our customers have successfully applied the patch fix and are no longer vulnerable," Scott Gordon, chief marketing officer of Pulse Secure, said in an email. "But unfortunately, there are organizations that have yet to apply [it]."
A spokesperson for Travelex said in an interview that the company could not make any comment on technical details of the hack while the investigation is ongoing.
For Victoria Baines, cybersecurity expert and visiting research fellow at the University of Oxford, the Travelex hack is particular noteworthy because it demonstrates how much larger and more coordinated ransomware attacks have become in recent years.
Cybercrime gangs have moved on from asking for $100 to $200 from individuals to targeting large companies and demanding considerably bigger sums.
"We are definitely seeing an evolution. But this is quite unique as we haven't really seen the likes of a multi-million ransom in financial services before," she said.
The Sodinokibi gang also appears to be typical of criminal groups that have "professionalized" and are showing increasingly high levels of technical competence and organization, and human error can leave companies just as vulnerable to hacks as technological flaws, according to Baines.
"Criminals have become wise to the fact that cyber hygiene at big institutions isn't always what it should be," he said.
According to a report by insurance underwriter Beazley, the average ransom demanded in attacks on companies was $116,000, although this was skewed by a handful of very large demands.
Ransom demands in the millions are rare but not unheard of. Korean web-hosting firm Nayana agreed to pay around $1 million to criminals, payable in bitcoin, in 2017 (negotiated down from $4.4 million).
Small and mid-sized businesses, which tend to spend less on cyber security than bigger ones, are more vulnerable to attacks, according to the report.
What happens next?
With Travelex's systems still down, and the problem affecting bank customers including Lloyds Banking Group PLC, Barclays PLC and Royal Bank of Scotland Group PLC, questions are starting to arise about the company's contingency plans, according to independent cybersecurity consultant Graham Cluley.
"As it's now been over a week, you have to begin to suspect that Travelex did not have secure backups or that, for some reason, they're having difficulties recovering from their backups," he said in an email. "Paying the ransom isn't ideal either — it encourages others to launch copycat attacks, and in itself fails to determine what the security problem was in the first place that allowed the hackers to plant their ransomware."
Brian Honan, a cybersecurity expert and owner of Dublin-based BH Consulting, said it is easy to point the finger at Travelex without having all the facts, but stressed one must remember that the company is the victim of a crime.
"We still don't know what happened, so it's important not to victim-blame," he said in an interview.
Shares in parent company Finablr fell dramatically on the news of the hack, closing at 130.0 pence per share on Jan. 9, down from 170.4 pence per share on Dec. 31. Finablr said in a statement on Jan. 8 that it did not expect any financial impact as the result of the attack on Travelex, which was placed on CreditWatch Negative on Jan. 9 by S&P Global Ratings.