Published on April 9th, 2020 📆 | 8404 Views ⚑0
Travelex Reportedly Paid $2.3 Million Ransom to Restore Operations
Travelex reportedly paid a $2.3 million ransom payment to get their systems back online after being encrypted by a Sodinokibi ransomware attack.
In an attack this past New Year’s Eve, hackers deployed the Sodinokibi ransomware throughout Travelex’s network causing them to shut down operations at 1,500 stores across the world.
As part of this attack, the operators behind the Sodinokibi ransomware told BleepingComputer that they had encrypted the company’s entire network, deleted backup files, and copied more than 5GB of personal data. This data allegedly contained “DOB SSN CC and other”.
To recover their files, the threat actors told us that they demanded a $3 million ransom and would publicly release the stolen data if the ransom was not paid.
At the time, the ransomware operators felt that Travelex would not pay and began to post threats on hacker forums that they would release their data if not paid.
2.3 million ransom payment
A new report by the Wall Street Journal states that they were able to confirm that Travelex paid a 2.3 million ransom to get their network back up and running.
“Travelex, known for its ubiquitous foreign-exchange kiosks in airports and tourist sites around the world, was shut down by a computer virus that infiltrated its networks early this year. It responded by paying the hackers the equivalent of $2.3 million, according to a person familiar with the transaction,” states the report.
This report also aligns with information that BleepingComputer was told when Travelex resumed operations on January 17th, 2020 and rumors began circulating that Travelex paid the ransom.
At that time, Sodinokibi told BleepingComputer that they had received payment from Travelex, but would not specify the amount or provide any proof.
Our questions to Travelex were met with a token response that they were not going to discuss the case while it under investigation.
“There is an ongoing investigation. We have taken advice from a number of experts and we are not going to discuss this,” Travelex told BleepingComputer.
Travelex’s attack continues to highlight the importance of transparency and the prompt notification of breaches.
With ransomware operators routinely stealing sensitive data before encrypting computers, all ransomware attacks must be treated as data breaches and notifications must be sent to those who had their information exposed.
While paying the ransom may have restored Travelex’s network, for those whose data was potentially compromised, they are just stuck in limbo.