Sodinokibi ransomware: Hackers hijack ‘Travelex’ demands $3m ransom

Travelex is said to have been held to ransom by hackers who launched a cyber-attack a week ago that forcing the foreign currency specialist firm to take down all of its global websites.
Criminals are thought to be demanding about $3m (£2.3m) – to give the firm access to its computer systems after they attacked using the Sodinokibi ransomware on 31 December.
They are reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless the company pays up.
Staff at the group’s London headquarters have been told to return laptops before leaving the building, as the company tries to get to the bottom of the breach.
The issue has forced banks who use Travelex’s foreign exchange services to stop taking online orders for currency, affecting Sainsbury’s Bank, Tesco Bank, Virgin Money and First Direct.
Travelex sites have been offline for a week, with the firm providing foreign exchange services manually in its branches.
The group’s customer website carried a message to visitors that online services were down due to “planned maintenance”. “The system will be back online shortly,” the messages stated.
A message onits corporate website read: “This website is temporarily unavailable while we make upgrades to improve our service to you.”
Travelex first revealed the New Year’s Eve attack on 2 January, when it sought to assure that no customer data had yet been compromised. It has drafted in IT specialists and cybersecurity experts in an attempt to isolate the virus and get affected systems online, but has been unable to gain access and overthrow the hackers. The Metropolitan police is leading the investigation into the attack.
A spokesperson for the Metropolitan police said: “On Thursday, 2 January, the Met’s cyber crime team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing.”
It has also reportedly emerged that Travelex was recently warned over vulnerabilities in its virtual private network (VPN) servers. It came at a crucial time for the group, with its services in high demand last week over the Christmas holidays.
Travelex has not returned a request for comment from the Guardian and its website remains offline.
In a statement, Virgin Money said: “Investigations by Travelex are ongoing, with no confirmed timescales for resolution. As this is a global Travelex issue, customers are currently unable to place orders via the Virgin Money travel money website (or any Travelex website) or the contact centre. However customers can process orders at Travelex bureaux directly.”
The number of Virgin Money customers affected is understood to be small due to a seasonal lull in currency demand.
A spokesperson for First Direct said no customers were locked out of their funds because they do not offer pre-loaded currency cards.
“We have a very low number of customers who are waiting for their order to be fulfilled,” said the spokesperson.
“We are in the process of contacting our customers and offering a refund.”
Travelex, based in London, has a presence in more than 70 countries with more than 1,200 branches and 1,000 ATMs worldwide. It processes more than 5,000 currency transactions every hour. The group – founded in 1976 – is owned by the global payments platform Finablr, which is listed on the London Stock Exchange but based in the United Arab Emirates.