Travelex called-in specialists from the Metropolitan Police's Cyber Crime Team on Thursday last week over what it has finally admitted is a Sodinokibi ransomware attack.
The company took its systems offline on 31st December 2019 following the outbreak in a bid to contain the attack, shifting internal processes to manual as a result. However, it has faced a rising chorus of criticism over its response to the outage and the lack of information it has provided to customers and the media.
There is no evidence that structured personal customer data has been encrypted
In a statement to Computing, the Metropolitan Police said: "On Thursday, 2 January the Met's Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."
Travelex, meanwhile, has finally got round to providing a statement attributing the outage to more than just "a virus", as the crisis enters its second week.
In the statement, the company confirms that it has fallen victim to the Sodinokibi ransomware, also known as REvil. "Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful," the company claims.
It adds: "To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted."
Detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems
By this, the company presumably means that the ransomware was stopped before it was able to start encrypting critical customer information - but the phrase "structured personal customer data" raises as many questions as it answers.
The company also admits that nine days into its response to the outbreak it "does not yet have a complete picture of all the data that has been encrypted", and further claims that "there is still no evidence to date that any data has been exfiltrated".
The cyber criminals behind the Sodinokibi ransomware typically hedge their bets by exfiltrating organisational data before commencing the encryption process. They then threaten to release the data if the targeted organisation does not pay up.
The Travelex statement continues: "Having completed the containment stage of the remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date, Travelex has been able to restore a number of internal systems, which are operating normally."
The company has not been able to give an estimated date by which its systems will be back, fully up-and-running.
Intriguingly, the statement signs off by asserting that the company "does not currently anticipate any material financial impact for the Finablr Group", the holding company that owns Travelex, set-up by Indian businessman BR Shetty and floated on the London Stock Exchange in May 2019.
The attackers are believed to have gained entry via unpatched Pulse Secure VPN servers.
The organisation was warned in September about the vulnerability on its network by both private security researchers and the National Computer Security Centre (NCSC). However, Chicago, Illinois-based security researcher Troy Mursch claims he received no response from the company with regard to the warning he sent.
All Computing's coverage of the Travelex ransomware outbreak:
- Travelex refuses to comment on whether it paid ransom to get its data back
- Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack
- Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data
- ICO: Travelex hasn't reported a data breach
- Metropolitan Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack
- Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
- Travelex ignored September warning over 'insecure' VPN server software
- Travelex takes down currency exchange website following New Year's Eve cyber attack
Hillarys’ Head of ICT Julian Bond talks to Computing about how the UK-based manufacturer responded to the coronavirus crisis – culminating this week in the government-ordered lockdown
Half of all UK businesses hit by security breaches in the past 12 months, according to government Cyber Security Breaches Survey 2020
More businesses and charities than ever are being hit by cyber attacks, according to the latest survey – but organisation are also becoming more resilient
APT41 attacks carried out between January and March targeted unsecured Citrix NetScaler servers and Cisco routers
More and more ransomware groups are starting to steal data before encryption in order to blackmail their victims into paying up
Groups behind Netwalker switched phishing baits to coronavirus last week - as other ransomware groups pledged to avoid medical facilities