Before the New Year, December 31, 2019, Sodinokibi ransomware (aka REvil) attacked the international money transfer system Travelex. Sodinokibi ransomware operators demanded from Travelex $6 millions.To protect data and prevent the spread of malware, the company was forced to shut down its systems.
As a result, customers have lost the opportunity to use the Travelex website and application or make payments using credit or debit cards in more than 1,500 stores around the world.
As for the state on January 13, 2020, the company’s website is still disabled, information about the incident is published on the main page, and there is no comments on the progress of restoration work at Travelex.
The attackers not only encrypted Travelex data, but also stole more than 5 GB of personal data from the company’s network, which includes birth dates, social security numbers, card information, and so on. For this information, the criminals demanded a ransom of $3,000,000 or threatened to publish the stolen data“, – reports the publication in BleepingComputer.
Later the attacker talked to BBC reporters, who were already informed that they wanted $6,000,000 in ransom.
Currently, Travelex representatives deny information about data theft, while hackers confidently tell reporters that the company is already discussing the terms of payment with them and will pay in one way or another: even if the ransom is not paid, the criminals seem to expect to sell the stolen information.
Well-known information security expert Kevin Beaumont reports that Travelex owned seven unpatched Pulse Secure servers.
The problem is that last summer Pulse Secure VPN and FortiGate VPN from Fortinet became targets for criminals, as these solutions revealed vulnerabilities that were very useful to hackers, and soon exploits appeared in the public domain. Apparently, that’s how criminals got into the Travelex network”, – says Kevin Beaumont.
It is worth noting that the threats of Sodinokibi ransomware operators may not be groundless. The fact is that their “colleagues” behind the Maze cryptographer really practice publishing data from the companies if they do not make a deal.
For example, earlier this month in such a way were released files of the Southwire company that was attacked in December.
What is worse, Sodinokibi operators not only publicly emphasized that they would do the same as the authors of Maze, but also managed to support their statements with real actions. Therefore, over the weekend, they published 337 MB of data allegedly belonging to Artech Information Systems, which had previously suffered from their attack, but refused to pay the ransom. However, so far there is no evidence of the authenticity of these data.
Ransomware is one of the main threats today, and it is not funny at all as for example, recently The DeathRansom ransomware stopped joking and now really encrypts files.
User Review( votes)