Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Access the smarter, faster technology needed to make the most of your hybrid working future.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Travelex Ransomware Attack: What You Need to Know
As the clock struck midnight on New Year’s Eve 2020, as glasses chinked and couples embraced throughout the UK, foreign exchange company Travelex was plunged into perhaps the biggest crisis in its over 40 year history. Cyber criminals launched a ransomware attack on Travelex that has left the business in turmoil, with employees reduced to working with pen and paper. If the cyber criminals that launched the attack are to be believed, they possess the dates of birth, credit card information and national insurance numbers of scores of Travelex customers. The cost for returning them safely? $6 million.
What do we know at this stage about the Travelex ransomware attack, and what can your organisation do to protect itself from suffering a similar fate?
As a result of the ransomware attack launched on New Year’s Day Travelex has taken its websites offline, preventing users from interacting with its services whilst the investigation is ongoing. At the time of writing the websites (still offline) show a holding page and press statement.
In a statement released from multiple sources (including Travelex themselves) the malware that hit the organisation was the well-known REvil (aka Sodinokibi) ransomware. The group behind the malware confirmed that they had copied upwards of 5GB of personal data, allegedly including dates of birth, social security numbers and credit card information.
What is not clear at this stage is exactly how the attack happened, how the malware got in and even if any data was indeed exfiltrated. Travelex released a statement on Tuesday 7th January stating “there is still no evidence to date that any data has been exfiltrated”, whilst the cyber criminal group behind the malware obviously claim otherwise. Whilst we may never know which side is telling the truth, there remain a number of key lessons to be learnt around how your organisation can employ preventative measures to protect itself from compromise. But first of all, what exactly is Sodinokibi?
Sodinokibi (also known as Sodin or REvil) is believed by some security researchers to have come from the same group of cyber criminals that developed the GandCrab ransomware. GandCrab reportedly made $2 billion via multiple ransomware attacks before being ‘retired’ by its creators in mid-2019. Not a great deal is known about the group behind GandCrab, but they could be based in the former Soviet Union as the malware did not infect machines in the region.
At approximately the same time GandCrab was disappearing, Sodinokibi was observed in numerous cyber-attacks against multiple organisations. In some of the attacks, Sodinokibi was used as ransomware-as-a-service (RaaS). RaaS is a criminal business model where subscribers use malware for their own operations, paying some of the money earnt back to the developers.
Over the past few months there has been a great deal of activity around the Sodinokibi malware. At Six Degrees our cyber security experts have seen multiple cases of this malware family being deployed. Each time we have reverse-engineered the samples there have been subtle differences in functionality; in fact, some binaries from incident responses have even been semi-functional debug samples.
Many of our peers in the cyber security community have been tracking the activity of the Sodinokibi malware family with great interest, and there is a degree of consensus that the malware family is likely to be under active development.
What’s interesting about the outbreaks we have encountered is the method of entry, which has often differed on the occasions we have looked into the malware. Methods of entry have ranged from semi-automated email campaigns to targeted RDP endpoint attacks. One more to add to the list is now Travelex, who some researchers believe may have been infected via a number of known outdated Pulse Secure VPN endpoints.
Before we explore the Pulse Secure VPN endpoint theory further, it’s important to establish that details about the entry point of the malware have not been released. As with many such intrusions, the general public may never know the full technical details of the cyber-attack. What we can do however is identify trends and comment on likely scenarios, the most persuasive of which is that Travelex were using outdated and highly vulnerable Pulse Secure VPN endpoints.
You can follow the links here and here for more specifics, but in summary the successful exploitation of the Pulse Secure VPN endpoints could result in access to the network and VPN endpoint without requiring authentication. To make matters worse, once exploited the attackers would also be able to read log files and any cached usernames and passwords in plain text, which could include Active Directory credentials. At this point access to internal hosts, along with furthering access in preparation for a malware deployment, is only a few steps away, as can be established by the most basic of internal penetration tests.
Following the discovery of this vulnerability a working, publicly available exploit was published around August of last year. This prompted a spike in scanning activity for endpoints affected by the vulnerability, and since then activity linking the vulnerability to Sodinokibi in multiple attacks was also noted. This is what has prompted the widespread speculation that the outdate Pulse Secure VPN endpoints are likely to be the entry point through which cyber criminals were able to attack Travelex.
It is commonly acknowledged that many of these attacks follow a similar pattern. The attacker gains initial access via some means, be it a vulnerability in the external infrastructure or via email campaigns aimed at harvesting credentials. They will then spend time searching the network for high value target hosts; if you think about it from the attacker’s point of view, the greater the value of the data, the greater the chance of someone paying up.
So how do you prevent your organisation from suffering a similar fate to Travelex? Here are some key takeaways we should all be aware of:
The ongoing Travelex ransomware saga is testament to the massive financial, operational and reputational damage a successful cyber-attack can inflict on an organisation. This isn’t a time for burying your head in the sand and hoping the same fate doesn’t befall you. Take proactive steps to protect yourself and your organisation from the very real threat posed by cyber criminals in 2020 and beyond.
Every business needs to protect its information assets from accidental…
The British Airways hack in September 2018 has now been…
Cyber threat is holding companies back from investing in digital…
Purchase of highly respected cyber defence consultancy cements Six Degrees’…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
