Travelex is a Lesson For All The Industry … Minimise Surface Area, Patch and Backup

Travelex is a Lesson For All The Industry … Minimise Surface Area, Patch and Backup

Senior executives should be looking at the evolving issue at Travelex, and immediately call up their security team and ask if they have backed-up and patched all their systems. They should be asking, too, the time it would take to recover the infrastructure on a major attack or outage.

Travelex’s network infrastructure was attacked on New Year's Eve, and it has since struggled to get restored [here]:

Their main site is currently down, and there’s no indication when it will be back up. The malware attack took Travelex websites offline in more than 20 countries, along with affecting other banks which use the company for their currency exchanges. Their retail outlets — typically hosted in airports and shopping malls — are also unable to use the Internet or send/receive emails. In fact, the company have yet to information the ICO that they have been breached.

It has since emerged that the “malware” was actually ransomware, and where the hackers are asking for a six-figure sum in order to recover the affect files. It looks like the infection is from Sodinokibi, — aka REvil — and which was created especially for cybercriminals, and where the developers offer it for a share in the rewards:

The ransomware demand outlines:

“It is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities — nobody will not co-operate with us. It is not in our interests,”

“If you do not co-operate with our service — for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.”

The ransomware note states that the company can connect to a given website and enter a passkey, in order to gain the details on paying the ransom in bitcoins and to create a decryption key. It is thought that the ransom demand could be as much as £3 million. Overall Sodinokibi is having a successful time in gaining funds from its exploits:

It has also been revealed that Travelex took over eight months to patch systems for significant vulnerability, and which left them open to an attack. They have also been pin-pointed for exposing RDP (Remote Desktop Protocol) to the Internet and leaving them vulnerable for brute force attacks. This protocol allows remote desktops to be connected to over the Internet.

Conclusions

Basic facts … minimise the surface area, patch your systems, and back-up.