On the morning of December 31, 2019, foreign exchange company Travelex was hit with Sodinokibi, a powerful and highly sophisticated ransomware strain. The intrusion encrypted key business files and left readme files on infected computers, instructing Travelex to pay a six-figure payment in bitcoin through a top-level domain registered in China. Travelex staff members were directed to a website prompting them to enter a passcode that would allow them to pay the ransom.

The ransomware attack left Travelex websites in 20 countries inaccessible and left the company’s airport outlets without access to internet or email. Reports claim that computers containing confidential information such as client names and bank account details had been infected with the virus.

Despite claims from the criminals, Travelex maintains that no customer information was stolen. The Soninokibi attack not only disrupted Travelex operations; it also caused disruptions at banks including Barclays, Virgin Money, and Sainsbury’s.

Travelex has declined to comment on whether it would pay the ransom but, no matter what, the episode is not a good look for Travelex.

By mid-January when this article was written, Travelex had begun to restore some critical systems, while some of the company’s global websites and money services were still offline. The firm stated that it would begin restoring customer-facing systems, beginning with those that allowed for electronic process ordering for banking partners.

Why patching is critical in 2020

Pouring salt on Travelex’s fresh wound, it was revealed that the company waited months to patch a well-known security vulnerability in the Pulse Secure VPN servers it uses for remote internet access.

In April last year, Pulse Secure VPN released an advisory notice and software patches after researchers determined that their services contained a number of vulnerabilities that could provide covert access to an organization’s network. In September, security experts alerted thousands of companies that hackers had been working to exploit those vulnerabilities. Analysis conducted by Bad Packets showed that Travelex had not patched their servers until early November 2019.

Ransomware knows how to adapt.

It’s important to remember that a ransomware attack like this isn’t unique. We only have to review the last five years to remind ourselves of the WannaCry, SimpleLocker, and TeslaCrypt attacks. Ransomware is elusive and always adapting to bypass system defense.

As the Travelex attack illustrates, to be #CyberFit and ready to face the latest threats, organizations and the service providers who help them need to adopt the approach of modern cyber protection, which combines proven data protection and cutting-edge cybersecurity.

What is Sodinokibi ransomware?

In April 2019, the team at Cybereason Nocturnus encountered and analyzed a highly evasive new breed of ransomware named Sodinokibi. The ransomware encrypts all critical corporate files except for those listed in the configuration files. While the affected system is usable, all key business information stored on the system is inaccessible.

Cybercriminals use a wide range of techniques to install Sodinokibi onto targeted computer networks. The ransomware targets Microsoft’s Remote Desktop Protocol (RDP), which allows engineers to access Windows machines remotely. RDP has become an increasingly popular target for hackers who use it to bypass endpoint security to penetrate networks and defense systems.

After entering the network, the ransomware deletes network logs to cover its tracks, even after the vulnerabilities have been patched.

Could Travelex have prevented this?

Given the nature of Sodinokibi, retroactive responses are rarely effective. With a robust cyber protection solution, companies are better equipped to stop a ransomware attack before it even begins. In the case of Travelex, an active cyber protection solution would not only have stopped the Sodinokibi in its tracks with AI-based security functions, but it would have updated backups of the company’s data, applications, and systems.

Without effective cyber protection, companies are leaving critical data exposed – putting their time, money, and resources on the line, while risking their customers’ trust and security.

Final Thoughts

To diminish the risk of a ransomware attack and ensure your organization can navigate the increased complexity of network security, it’s critical for your company to adopt the strategies and solutions that deliver modern cyber protection. While Travelex attack may have been this week’s big cybersecurity headline, cybercriminals are working to develop smarter, more discreet, and more potent ransomware attacks every day.

Regular patching of operating systems and applications, along with a frequent backup regimen, can help mitigate some attacks – but to prevent ransomware from encrypting data and crippling your system, a proactive cyber protection solution with integrated anti-malware defenses powered by artificial intelligence is needed.

The machine learning models that power Acronis Active Protection can differentiate potentially malicious system behavior from normal behavior patterns, enabling it to stop suspicious activity in real-time, before any damage is done.

This behavior-based approach is so effective it stopped more than 400,000 ransomware attacks last year. That’s why it is incorporated into all Acronis Cyber Protection solutions – from our personal and business products to the backup service of our service provider platform – because everyone deserves modern cyber protection.