Before the New Year, December 31, 2019, the international money transfer system Travelex was attacked cryptographer Sodinokibi (aka REvil). To protect data and prevent the spread of malvari, the company was forced to shut down its systems. As a result, customers have lost the opportunity to use the Travelex website and application or make payments using credit or debit cards in more than 1,500 stores around the world.
As of January 13, 2019, the company’s website is still turned off, information about the incident is published on the main page, and the progress of restoration work at Travelex is not commented on.
According to the publication Bleepingcomputer, the attackers not only encrypted Travelex data, but also stole more than 5 GB of personal data from the company’s network, including birth dates, social security numbers, card information, and so on. For this information, the criminals demanded a ransom of $ 3,000,000, or threatened to publish the stolen data. Ransomware talked to reporters a bit later Bbcwho have already been informed that they want $ 6,000,000 in ransom.
Travelex currently denies data theft, while hackers are confident tell reportersthat the company is already discussing the terms of payment with them and will pay in one way or another: even if the ransom is not paid, the criminals seem to expect to sell the stolen information.
Famous IB expert Kevin Beaumont informsthat Travelex owned seven unpatched Pulse Secure servers. The problem is that last summer Pulse Secure VPN and FortiGate VPN from Fortinet became targets for criminals, as these solutions revealed vulnerabilities that were very useful to hackers, and soon exploits appeared in the public domain. Apparently, this is how criminals got into the Travelex network.
It is worth noting that the threats of Sodinokibi ransomware operators may not be groundless. The fact is that their “colleagues” behind the Maze cryptographer really practice publishing these companies if they don’t make a deal. For example, earlier this month in this way were files made public attacked in December by Southwire.
Worse, Sodinokibi operators not only publicly emphasized that they would do the same as the authors of Maze (see illustration above), but also managed to support their statements with deed. So, over the weekend, they published 337 MB of data, supposedly owned by Artech Information Systems, which had previously suffered from their attack, but refused to pay the ransom. However, so far there is no evidence of the authenticity of these data.