Travelex Hit with Powerful Sodinokibi Ransomware Attack

Sodinokibi ransomware cripples Travelex currency exchange

“If you do not cooperate with our service – for us it does not matter. But you will lose your time and your data....”

While most of the world was readying their New Years' Eve celebrations, Travelex was facing a devastating ransomware attack. In the early hours of December 31, the FinabIr-owned foreign exchange company was hit with Sodinokibi, a powerful, highly sophisticated ransomware strain that encrypted key business files and left readme files on infected computers. These readme files instructed Travelex to pay a six-figure payment in bitcoin through a top-level domain registered in China. The hackers directed Travelex staff to a website prompting users to enter a passkey that would unlock instructions on how to pay the ransom.

The attack rendered Travelex websites in 20 countries inaccessible and left its airport outlets without access to the internet or email. Reports claim that computers containing confidential information such as client names and bank account details had been infected with the virus. The Soninokibi attack not only disrupted Travelex operations; it also caused disruptions at banks including Barclays, Virgin Money, and Sainsbury’s.

Travelex IT teams have been working since New Year’s Eve to restore the affected systems and isolate the virus. Travelex has declined to comment on whether it will pay the ransom but, either way, this is not a good look for Travelex.

Importance of patching

Pouring salt on Travelex’s fresh wound, it was revealed that the company waited months to patch a well-known security vulnerability in the Pulse Secure VPN servers it uses for remote internet access.

In April last year, Pulse Secure VPN released an advisory notice and software patches after researchers determined that their services contained a number of vulnerabilities that could provide covert access to an organization’s network. In September, security experts alerted thousands of companies that hackers had been working to exploit those vulnerabilities. Analysis conducted by Bad Packets showed that Travelex had not patched their servers until early November 2019.

Ransomware is always changing

It’s important to remember that a ransomware attack like this isn’t unique. We only have to review the last five years to remind ourselves of the WannaCry, SimpleLocker, and TeslaCrypt attacks. Ransomware is elusive and always adapting to bypass system defense.

As the Travelex attack illustrates, to be #CyberFit and ready to face the latest threats, organizations and the service providers who help them need to adopt the approach of modern cyber protection, which combines proven data protection and cutting-edge cybersecurity.

What is Sodinokibi and how does it work?

In April 2019, the team at Cybereason Nocturnus encountered and analyzed a highly evasive new breed of ransomware named Sodinokibi. The ransomware encrypts all critical corporate files except for those listed in the configuration files. While the affected system is usable, all key business information stored on the system is inaccessible.

Cybercriminals use a wide range of techniques to install Sodinokibi onto targeted computer networks. The ransomware targets Microsoft’s Remote Desktop Protocol (RDP), which allows engineers to access Windows machines remotely. RDP has become an increasingly popular target for hackers who use it to bypass endpoint security to penetrate networks and defense systems.

After entering the network, the ransomware deletes network logs to cover its tracks, even after the vulnerabilities have been patched.

How could Travelex have prevented this?

Given the nature of Sodinokibi, retroactive responses are rarely effective. With a robust cyber protection solution, companies are better equipped to stop a ransomware attack before it even begins. In the case of Travelex, an active cyber protection solution would not only have stopped the Sodinokibi in its tracks with AI-based security functions, but it would have updated backups of the company’s data, applications, and systems.

Without effective cyber protection, companies are leaving critical data exposed – putting their time, money, and resources on the line, while risking their customers’ trust and security.

Final Thoughts

To diminish the risk of a ransomware attack and ensure your organization can navigate the increased complexity of network security, it’s critical for your company to adopt the strategies and solutions that deliver modern cyber protection. While Travelex attack may have been this week's big cybersecurity headline, cybercriminals are working to develop smarter, more discreet, and more potent ransomware attacks every day.  

Regular patching of operating systems and applications, along with a frequent backup regimen, can help mitigate some attacks – but to prevent ransomware from encrypting data and crippling your system, a proactive cyber protection solution with integrated anti-malware defenses powered by artificial intelligence is needed.

The machine learning models that power Acronis Active Protection can differentiate potentially malicious system behavior from normal behavior patterns, enabling it to stop suspicious activity in real-time, before any damage is done.

This behavior-based approach is so effective it stopped more than 400,000 ransomware attacks last year. That’s why it is incorporated into all Acronis Cyber Protection solutions – from our personal and business products to the backup service of our service provider platform – because everyone deserves modern cyber protection.