Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware

clock • 3 min read

Attackers claim to have copied more than 5GB of users' personal data

Cyber criminals are demanding a $3 million ransom from foreign currency exchange firm Travelex after penetrating its network and encrypting its network with Sodinokibi ransomware.

The news comes after it was revealed that Travelex had been warned that it was running vulnerable Pulse Secure virtual private networking (VPN) servers. However, it's unclear whether the company responded to the warnings from both security researchers and the National Computer Security Centre (NCSC). 

That's according to BleepingComputer, which claims that the attackers sent the ransom note to the company after copying more than 5GB of users' personal data - including their social security numbers, dates of birth, payment card information and other details - from the company's systems.

The attackers sent the ransom note to the company after copying more than 5GB of users' personal data

The Sodinokibi 'crew' told BleepingComputer that they had encrypted the entire Travelex network and would release users' data into the public domain if the company failed to pay the ransom in seven days.

The Sodinokibi ransomware, which the attackers used to encrypt Travelex's systems, was first discovered in April last year. At that time, it was found that the attackers were exploiting a flaw in Oracle Weblogic to spread the ransomware.

Sodinokibi, also known as Sodin and REvil, is known to typically add random extensions to files encrypted on computer systems. In Travelex's case, the encrypted files were also found to have extensions comprising more than five random characters.

The malware struck Travelex's network on 31st December, and left some readme documents on infected computers after encrypting critical business files.

The company then decided to take all of its computer systems offline in order to secure users' data and to prevent further spread of the virus.

The attack crippled Travelex services, leaving customers unable to use the app or website to make payments using debit or credit cards at more than 1,500 Travelex stores worldwide.

The company claimed that no customer data has been compromised as a result of the breach, but refrained from providing more details about the attack. It's not known whether the breach has been reported to the Information Commissioner's Office (ICO). 

Travelex has been forced to revert to manual procedures in its branches across the world as a result of the attack and electronic services, such as its pre-paid foreign currency cards, cannot be refreshed with new funds. 

The data breach has also disrupted foreign exchange services at several banks, including Barclays, HSBC, Sainsbury's Bank, First Direct, Virgin Money, and others, which rely on Travelex to provide those services.

According to security experts, Travelex took more than eight months to patch Pulse Secure virtual private networking (VPN) software containing a critical security vulnerability, leaving its computer systems vulnerable to cyber attacks.

Chicago, Illinois-based security researcher Troy Mursch said he had warned Travelex about insecure VPN servers in September 2019 - but that warning was probably ignored by the company.

Travelex was one of a number of companies that Mursch informed. Mursch said he had also notified the UK's National Cyber Security Centre about organisations running insecure servers, following which, the NCSC also sent out warning letters to all affected organisations.

Computing's coverage of the Travelex ransomware outbreak

You may also like
Microsoft warns of new ransomware campaign by the Twisted Spider group

Threats and Risks

Uses malvertising to spread Danbot Trojan, then Cactus ransomware

clock 01 December 2023 • 2 min read
Only one arrest was made


International operation nabs gang of corporate ransomware hackers, but only one arrest is made

clock 29 November 2023 • 3 min read
London & Zurich ransomware attack sparks financial crisis for businesses


Details on when exactly full services will resume remain elusive

clock 24 November 2023 • 3 min read

More on Hacking

Data breach affects nearly 7 million 23andMe profiles

Data breach affects nearly 7 million 23andMe profiles

Data including family trees and birth years have been stolen

Tom Allen
clock 05 December 2023 • 2 min read
The Sellafield site in Cumbria, formerly known as Windscale

Government denies evidence of nuclear site hack

Report alleged Sellafield IT systems were attacked by hacking groups linked to Russia and China

clock 05 December 2023 • 2 min read
Hackers demand £300,000 to not leak royal family's medical records

Hackers demand £300,000 to not leak royal family's medical records

GCHQ and the police are investigating the attack

clock 04 December 2023 • 3 min read