Was the Travelex Ransomware Attack in the Cards?

Travelex, the venerable 44 year-old international foreign exchange firm, started 2020 with an unfortunate bang. They were the victim of a ransomware attack, the Sodinokibi virus, which encrypted the company’s data, locking access to it. The attackers told a security researcher that they had also stolen 5GB of personal customer data and deleted all data backup.

To try to contain the virus, Travelex went offline worldwide, affecting more than 1,200 stores, kiosks and counters in at least 70 countries. Their physical “travel money stores,” though, are open and manually recording transactions and issuing receipts using pen and paper. A lesser-known aspect of their business is supplying foreign exchange services to major banks and other financial institutions; this was also disrupted by the attack.

Now that about a week has passed since knowledge of the attack became public, information is emerging that points to circumstances that enabled this ransomware attack.

• Holes in the VPN

One claim is that starting in April 2019 Travelex was warned three separate times by three different sources about critical security weaknesses in their Pulse Secure virtual private network servers and that cyber criminals were trying to attack companies worldwide via their VPNs. And, back in April, Pulse Secure issued software patches but they were not applied by Travelex.

It was only in November 2019 that Travelex finally installed the patches, meaning many months passed during which potential attackers could have infiltrated through one of the vulnerable VPNs.

• Insecure RDP access

A more common entry way into a company’s network is through Microsoft’s Remote Desktop Protocol (RDP) which allows IT service engineers access to the company’s Windows-based computers.  What also came to light was that “Travelex had allowed RDP to be accessible from the internet, without using network-level authentication, which provides a layer of security.” This enables attackers to “sidestep endpoint security and makes penetrating portioned networks and backup systems simple.” This known vulnerability was not avoided.

The long road to recovery…

We know from previous ransomware attacks that the road to recovery is long (several months) and expensive (tens of millions of dollars), whether ransom is paid or not.

Financial services organizations are required by regulation to recover with lightning speed. For example, the European Central Bank guidelines specify that financial institutions should resume critical operations within two hours of a cyber disruption. Can/did Travelex recover within 2 hours? No…

Travelex reports they have contained the virus, that a number of internal systems are now back up and running normally, and that some of their currency exchange business is operating manually, but they’ve been unable to resume normal operations as yet.

The big question now is how long will it actually take for Travelex to recover its data and resume normal operations.

Ransomware is a severe cyber disruption and a steadily increasing threat to enterprise. Organizations must implement solutions to prevent ransomware and malware from attacking the core data which lies at the heart of their business, and they must be able to recover critical operations within a reasonable timeframe.

So, what can you do to ensure that your organization is able to protect itself and recover from a ransomware attack and resume critical operations with core data fully intact? On a continuous basis, make sure that all your backups meet your organization’s security baseline and vendor best practices.  How? With our cyber resilience assurance solutions. Learn more.