Travelex called-in specialists from the Metropolitan Police's Cyber Crime Team on Thursday last week over what it has finally admitted is a Sodinokibi ransomware attack.
The company took its systems offline on 31st December 2019 following the outbreak in a bid to contain the attack, shifting internal processes to manual as a result. However, it has faced a rising chorus of criticism over its response to the outage and the lack of information it has provided to customers and the media.
There is no evidence that structured personal customer data has been encrypted
In a statement to Computing, the Metropolitan Police said: "On Thursday, 2 January the Met's Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."
Travelex, meanwhile, has finally got round to providing a statement attributing the outage to more than just "a virus", as the crisis enters its second week.
In the statement, the company confirms that it has fallen victim to the Sodinokibi ransomware, also known as REvil. "Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful," the company claims.
It adds: "To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted."
Detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems
By this, the company presumably means that the ransomware was stopped before it was able to start encrypting critical customer information - but the phrase "structured personal customer data" raises as many questions as it answers.
The company also admits that nine days into its response to the outbreak it "does not yet have a complete picture of all the data that has been encrypted", and further claims that "there is still no evidence to date that any data has been exfiltrated".
The cyber criminals behind the Sodinokibi ransomware typically hedge their bets by exfiltrating organisational data before commencing the encryption process. They then threaten to release the data if the targeted organisation does not pay up.
The Travelex statement continues: "Having completed the containment stage of the remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date, Travelex has been able to restore a number of internal systems, which are operating normally."
The company has not been able to give an estimated date by which its systems will be back, fully up-and-running.
Intriguingly, the statement signs off by asserting that the company "does not currently anticipate any material financial impact for the Finablr Group", the holding company that owns Travelex, set-up by Indian businessman BR Shetty and floated on the London Stock Exchange in May 2019.
The attackers are believed to have gained entry via unpatched Pulse Secure VPN servers.
The organisation was warned in September about the vulnerability on its network by both private security researchers and the National Computer Security Centre (NCSC). However, Chicago, Illinois-based security researcher Troy Mursch claims he received no response from the company with regard to the warning he sent.
All Computing's coverage of the Travelex ransomware outbreak:
- Travelex refuses to comment on whether it paid ransom to get its data back
- Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack
- Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data
- ICO: Travelex hasn't reported a data breach
- Metropolitan Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack
- Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
- Travelex ignored September warning over 'insecure' VPN server software
- Travelex takes down currency exchange website following New Year's Eve cyber attack
The leaked documents offered step-by-step guidance about how to pass the CREST exams
Remote working has expanded the digital perimeter of many organisations, and that opens them up to risks
How do you address IT leaders' dual concerns around remote working and cyber security?
British firms paid the sixth-highest total ransom amount to attackers last year, after the USA, Italy, Germany, Spain and France