Travelex falls victim to “Sodinokibi” Ransomware
The list of ransomware victims continues to grow. On New Year’s Eve 2020, Travelex, an international foreign exchange company, disclosed that it was struck by the “Sodinokibi” ransomware strain. Also known as REvil, Sodinokibi ransomware prevents users from accessing their computer data by encrypting it behind a ransomwall. The ransom demand for Travelex was $6M USD. They also stated that failure to pay the payment within 2 days will result in double the ransom demand.
In an effort to mitigate the spread of the ransomware, Travelex immediately disconnect infected computers from its company network.
The cyberattackers revealed to BBC that it had actually infiltrated Travelex’s network 6 months prior, and had been able to steal over 5 GB of customer data. According to the group, they have got access to customer information including birthdays and credit card information. This has been a common strategy of newer ransomware strains. Releasing the stolen data is used as a second point of leverage to extort money out of victims.
Cyberthreat intelligence company Bad Packets stated that it had notified Travelex of 7 security vulnerabilities present in their systems in September 2019. The vulnerability was caused by a security flaw in the Pulse Secure Virtual Private Network. According to Bad Packets, the vulnerability was actually patched April of that year, but that Travelex had failed to update its systems to the newest software version, leaving them vulnerable to attack.
The vulnerabilities present in the Pulse Secure VPN were widely known in the second half of 2019. In August of that year, the Canadian Center for Cyber Security urged for Canadian businesses to update their software to the latest versions to protect against attack. In October, the US National Security Agency, and the UK National Cyber Security Center issued similar warnings.
What does the vulnerability allow cyberattackers to do to unprotected systems?
Cybersecurity researcher Kevin Beaumont stated that the VPN vulnerability, also called CVE-2019-11510, allowed for attackers to remotely gain control of unprotected systems even without the use of the user credentials of the computer.
As illustrated by the Travelex, keeping computers up-to-date with current software updates to protect against cyberattack.