Travelex: Metropolitan Police called-in last week as company FINALLY admits Sodinokibi ransomware attack

Travelex called-in specialists from the Metropolitan Police's Cyber Crime Team on Thursday last week over what it has finally admitted is a Sodinokibi ransomware attack.

The company took its systems offline on 31^st December 2019 following the outbreak in a bid to contain the attack, shifting internal processes to manual as a result. However, it has faced a rising chorus of criticism over its response to the outage and the lack of information it has provided to customers and the media.

There is no evidence that structured personal customer data has been encrypted

In a statement to Computing, the Metropolitan Police said: "On Thursday, 2 January the Met's Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."

Travelex, meanwhile, has finally got round to providing a statement attributing the outage to more than just "a virus", as the crisis enters its second week.

In the statement, the company confirms that it has fallen victim to the Sodinokibi ransomware, also known as REvil. "Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful," the company claims.

It adds: "To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted."

Detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems

By this, the company presumably means that the ransomware was stopped before it was able to start encrypting critical customer information - but the phrase "structured personal customer data" raises as many questions as it answers.

The company also admits that nine days into its response to the outbreak it "does not yet have a complete picture of all the data that has been encrypted", and further claims that "there is still no evidence to date that any data has been exfiltrated".

The cyber criminals behind the Sodinokibi ransomware typically hedge their bets by exfiltrating organisational data before commencing the encryption process. They then threaten to release the data if the targeted organisation does not pay up.

The Travelex statement continues: "Having completed the containment stage of the remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date, Travelex has been able to restore a number of internal systems, which are operating normally."

The company has not been able to give an estimated date by which its systems will be back, fully up-and-running.

Intriguingly, the statement signs off by asserting that the company "does not currently anticipate any material financial impact for the Finablr Group", the holding company that owns Travelex, set-up by Indian businessman BR Shetty and floated on the London Stock Exchange in May 2019.

The attackers are believed to have gained entry via unpatched Pulse Secure VPN servers.

The organisation was warned in September about the vulnerability on its network by both private security researchers and the National Computer Security Centre (NCSC). However, Chicago, Illinois-based security researcher Troy Mursch claims he received no response from the company with regard to the warning he sent.

All Computing's coverage of the Travelex ransomware outbreak: