Travelex Ransomware Attack: Sodinokibi Is Here With A New Tactic


Ooops, your files are encrypted! Don’t worry – you can restore them; all you need to do is send $500 to the following address….

The words that have been striking the fear in average computer users since the 1980s! Yes, the first-ever documented ransomware PC Cyborg (also known as Aids Info Disk, AIDS), capable of encrypting all files in the C: directory after 90 reboots, and then demanding the user to renew their license by transferring $189 by mail, was released in the year 1989

Since then, utilizing more advanced and sophisticated encryption algorithms, the ransomware developed by all means to cause as much damage as possible while helping cybercriminals gain more substantial profits. With them making more and more headlines, effectively targeting businesses and individuals, all signs were indicating that ransomware is not going away any time soon. 

We’ve already published stories on some deadly ransomware attacks. And now, we’ve got a new one about the hack into the computer system of Travelex – a travel money firm, during which Sodinokibi ransomware (also referred to as Sodin or REvil) raises a new challenge of using the stolen data believed to be from a different attack, for blackmailing. 

Travelex – The New VictimTravelex The New Victim

It was on December 31st, 2019 by New Year’s Eve, when there was a strategic cyberattack on the London-headquartered Travelex. 

Very soon, the notorious ransomware gang Sodinokibi came to light, announcing that they are behind the hack, and they had stolen Travelex’s 5 GB customers’ personal data – including dates of birth, social security numbers (SSN), and payment card information. The team demanded about 6 million USD to give the firm access to its computer systems.

However, being dragged on for two weeks, the ransomware crew began posting 337MB of customer data on January 12th, 2020, which they claimed was stolen from a similar attack on American IT firm Artech Systems, to ramp up the pressure on Travelex. 

What makes this significant is the fact that it is the first time that hackers behind the Sodinokibi ransomware have released stolen files emphasizing the need of everyone to err on the side of caution.

“Sodinokibi” – The Crown Prince of RansomwareSodinokibi The Crown Prince of Ransomware

Sodinokibi, the highly evasive malware that hit Travelex, is believed to be from the authors of GrandCrab ransomware (which was behind 40% ransomware infections and successfully reported to have collected around $2 billion in theft payments from the victim). 

Being described as the ‘King of ransomware,’ GandCrab went through several upgrades, perfected itself, and forged partnerships with various threat actors for the effective distribution of the ransomware. However, then, when it had gained the topmost position in everyone’s threat list, the perpetrators announced they are getting the operations ceased. 

 A few years later, when Sodinokibi was released, researchers noticed striking similarities with GandCrab, on how the code works, the infection process and URLs used by both ransomware families, and estimated that Sodinokibi might be operated by the developers behind GandCrab.

Interested in reading more about GrandCrab and Sodinokibi? Read GandCrab Ransomware: Is it Back Under a New ‘REvil’ Guise?

More Difficulties Are On The Way

For Travelex, chances are there for the Information Commissioner’s Office (ICO) to impose a massive fine of 4% of the company’s global turnover since they failed to submit the concerned data breach reports to ICO.    

And very importantly, it was not the first cyberattack on Travelex. 

They were one among the several companies which were warned eight months ago of the chances of being affected by Sodinokibi ransomware. Still, the case is that they didn’t take it seriously and did nothing to strengthen their cybersecurity.

The Threat Is Real – We All Are Targets

The Threat Is Real We All Are TargetsThis is not just a story, but clear evidence for the dramatic proliferation of ransomware. As the world becomes more and more digital, any of us may fall victim to the attack at any point in time. 

So what can we do to defend such a crafty threat?

Strengthening our organizations’ cybersecurity methodologies are the only way! Just think about Travelex – would they have been a victim if they had worked on improving their information security when they were warned for the first time? They may not. 

Want more advice on this? Feel free to get in touch with Cybernetic Global Intelligence (CGI)- a  cybersecurity company, offering reliable cybersecurity solutions with timely analysis.

1 thought on “Travelex Ransomware Attack: Sodinokibi Is Here With A New Tactic”
  • Brianwal Reply
    March 18, 2020 at 4:51 am

    Wow because this is excellent work! Congrats and keep it up.

Post a Comment