The malicious encryption software, which operates on a Ransomware-as-a-Service model, may have been delivered via unpatched, vulnerable Pulse Secure VPN servers and it is believed that the attackers are now asking for a $3 million payment.
"Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil," London-based Travelex now acknowledges in a statement on its website's home page, dated Jan. 7.
“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted,” the statement continues. “Whilst Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”
Despite the company's claims that no data was stolen, multiple news sources have reported otherwise. Computer Weekly reported that Travelex computers containing names of clients and bank account and transaction details were hit. Meanwhile, BleepingComputer said that it was informed by the actors behind Sodinokibi that they encrypted the entire Travelex network and copied more than 5GB of data, including Social Security numbers and card information. It also reported that the attackers are threatening to publish the stolen data unless $3 million in ransom is paid within seven days (presumably start from the date of infection).
Travelex also said its efforts to stop the ransomware from spreading further have been successful and that it is “working towards recovery of all systems,” with a number of internal systems already operating normally.
Prior to the appearance of this new statement, Travelex’s website had painted an altogether different picture, with no mention of an attack at all. Instead, the site simply told visitors that Travelex’s “foreign currency purchasing service is temporarily unavailable due to planned maintenance.”
The global impact of the attack has become more apparent since news of the infection first broke. Computer Weekly reported that customers are still unable to access Travelex websites in 20 countries in Europe and the Middle East, while the BBC reports that major banks such as Sainsbury's Bank, Barclays and HSBC are also affected due to their inability to use the Travelex platform.
The identification of Pulse Secure VPN servers as the probable infection vector was referenced by Computer Weekly, which reported that Travelex waited eight months before patching critical VPN vulnerabilities that could have allowed remote actors to gain a secret foothold in its network and ultimately take it over. Before this report, UK-based researcher Kevin Beaumont published a Jan. 4 blog post, reporting that he had recently become aware of multiple organizations suffering malware attacks via exploited Pulse Secure VPN servers.
The disturbing observation underscores the dire need for Pulse Secure users to update their software with patches that the VPN provider had made available dating back to April 2019. Researchers with Bad Packets Report responded to Beaumont’s post with a tweet noting that they determined that Travelex at one point was operating seven unsecured Pulse Secure VPNs. “We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019. No response,” the tweet said.
Beaumont said that as of the writing of his blog post, there were still more than 1,300 unsecured Pulse Secure servers in the U.S. alone.
“That vulnerability is incredibly bad – it allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords),” said Beaumont, noting that the attack is even more significant because Travelex’s services are regulated by the UK’s Financial Conduct Authority (FCA) regulatory body.
“I think it's the first instance of a firm offering FCA regulated services having a total multiple day outage from ransomware,” wrote Beaumont.
Beaumont cited the following statement from Pulse Secure: “Threat actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi) by distributing and activating the ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers.”