This article is more than 1 year old

The Six Million Dollar Scam: London cops probe Travelex cyber-ransacking amid reports of £m ransomware demand, wide-open VPN server holes

We can rebuild him, we have the backups... er, right?

More than a week after its website and online services were taken offline by malware, foreign currency super-exchange Travelex continues to battle through what has become an increasingly damaging outage that may have unpatched VPN servers at its heart.

London's Metropolitan Police confirmed to El Reg on Tuesday its officers are probing the cyber-break-in. While the capital's cops declined to name a specific victim, a spokesperson told us: "On Thursday, 2 January the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."

Earlier, we learned the identity of the software nasty that infected the UK-headquartered biz and encrypted its files: the Sodinokibi Windows ransomware. And its criminal masterminds have demanded $6m (£4.6m) from Travelex to restore the scrambled data, according to the Beeb.

Travelex's UK website has been offline since New Year's Eve dealing with the ransomware infection. The exchange is also unable to provide services to British banks and organizations as a result of the IT shutdown.

A person receiving cash from a teller

This page is currency unavailable... Travelex scrubs UK homepage, kills services, knackers other sites amid 'software virus' infection


In a statement to the media, Travelex confirmed it had fallen to a Sodikinobi ransomware infection, though claimed no data had been siphoned off and stolen.

"Whilst Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated," we're told.

This, however, is contradicted by claims from the extortionists that the personal data of customers was indeed swiped from the exchange's systems, though these boasts have yet to be confirmed. Travelex declined to comment beyond its public statements.

It also emerged that Sodinokibi's entry point may already be known and related to another ongoing security SNAFU.

Bug-hunter Kevin Beaumont, and Troy Mursch of Bad Packets Report, have chronicled a string of cyber-attacks in which miscreants have exploited a well-known security hole in Pulse Secure's VPN software to compromise and infiltrate enterprise networks.

Beaumont said he has found evidence of the Pulse Secure VPN authentication-bypass flaw being used as an entry point in multiple Sodinokibi ransomware infections. Meanwhile, Mursch, who estimates more than 3,000 such vulnerable servers remain exposed to the public internet, said as recently as September he warned Travelex that it had seven vulnerable internet-facing Pulse Secure VPN servers on its network that it had yet to patch – to no response.

Should this month's infection indeed have begun with exploitation of a bug that has had a patch available since April 2019, Travelex's ongoing headache is likely to go from bad to much, much, worse. ®

More about


Send us news

Other stories you might like