Travelex Paid $2.3 Million to Ransomware Gang: Report

Travelex, a London-based foreign currency exchange that does business in 26 countries, including the U.S., paid a ransomware gang $2.3 million to regain access to its data following an attack on New Year’s Eve, the Wall Street Journal reports. The incident crippled the company’s customer services for weeks.

See Also: Role of Deception in the ‘New Normal’

Travelex has over 1,000 stores and 1,000 ATMs in 26 countries. It enables money transfer through cash or Travelex prepaid card.

The Sodinokibi gang, which also goes by the name REvil, claimed to have accessed Travelex’s network and then downloaded and encrypted 5 GB of data, according to the BBC. The cybercriminals reportedly originally demanded $6 million to release the data (see: Currency Exchange Travelex Held Hostage by Ransomware Attack).

Ransom Negotiations

After several weeks of negotiating and informing its partners and associates, Travelex decided to pay a ransom of $2.3 million, or about 285 bitcoins, according to the Journal, which cited unnamed sources familiar with the payment. The newspaper also said it confirmed the payment with members of the Sodinokibi gang in an online chat.

A Travelex spokesperson could not be immediately reached for comment on Friday. But a company representative told the Journal that the currency exchange reinstated its affected operations in January and revived its consumer business in February.

U.K. authorities are continuing to investigate the incicent, according to the Journal.

To Pay, or Not to Pay?

As the number of ransomware attacks has increased over the last several years, law enforcement agencies in the U.S., U.K. and elsewhere have discouraged companies from paying ransoms to hackers. The FBI has warned that attackers can linger in networks for months before and after attacks and that paying off cybercriminals is no guarantee of having corporate or financial data returned (see: Ransomware Attackers May Lurk for Months, FBI Warns).

And while the Sodinokibi ransomware gang claims to have released the data to Travelex, Brett Callow, a threat analyst with Emsisoft, points out that the data could have been damaged.

“If, as REvil [Sodinokibi] claims, 5 GB of data was exfiltrated and the backups deleted, Travelex would have been in a lose-lose situation,” Callow tells Information Security Media Group. “If the company did not pay the demand, its systems would have remained encrypted and its data published. If the company did pay, it would have been able to recover it, but would then have had to trust that the criminals would delete their copy of the data. And why would a criminal enterprise ever delete information that it may be able to monetize further?”

While the Travelex incident happened in December 2019, security researchers note that ransomware attacks, especially in healthcare, have gone up significantly since the start of the COVID-19 pandemic earlier this year. Sodinokibi is the most prolific of the ransomware gangs (see: No COVID-19 Respite: Ransomware Keeps Pummeling Healthcare).

Managing Editor Scott Ferguson contributed to this report.