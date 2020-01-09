Loading...

Wave from REvil ransomware attacks against unpaired Pulse Secure VPN servers

Researcher warns organizations to patch Pulse Secure VPN errors now or risk “big game” REvil ransomware attacks.

Travelex’s situation is getting worse every day.

Since a ransomware attack on New Year’s Eve, the online services of the currency provider have remained offline, external companies using the Travelex system have become unusable, the responsible cyber criminals have demanded a ransom and issued a deadline, customer anger has risen, and now the office of the Information Commissioner’s Office (ICO) is waiting for involvement.

The currency exchange originally said that a “software virus” had affected its systems, but it was “curtailed” while staff “worked to restore systems and resume normal operation as quickly as possible.”

To confuse customers trying to access third-party currency services, including those offered by Tesco Bank, HSBC, Sainsbury’s Bank, Lloyds and Virgin Money, there was a “scheduled maintenance” message for days, while Travelex responded to questions on social issues. media with the “software virus”.

The UK Metropolitan Police says that contact was made on January 2 “regarding a reported ransomware attack involving a foreign exchange” and an investigation is ongoing.

Sodinokibi is behind the attack. Travelex has confirmed that the group, also known as REvil, has succeeded in coding at least some customer data.

“To date, the company can confirm that although there has been some data encryption, there is no evidence that structured personal customer data has been encrypted,” the company said. “Whist Travelex does not yet have a complete picture of all data that has been coded, there is as yet no proof that data has been filtered.”

If the situation had really been curtailed, it would seem strange that the ransomware operators in the heart of the security incident would feel sufficiently confident to demand a ransom payment, allegedly linked to $ 6 million in exchange for decryption, recovery of IT systems and customer data retention – whose hackers claim to have birth data, credit card information and NI numbers.

As reported by the BBC, the threat actors claim to have had access to Travelex systems six months ago, which led to the exfiltration of 5 GB of customer information.

It was discovered last year that Sodinokibi used Windows zero-day vulnerabilities, unusual methods to maintain persistence on infected systems, and skeleton keys that allow operators to decrypt files regardless of which keys are in use – which can mean bad news for Travelex, as the variant in Travelex the game can be used by these main keys to exfiltrate encrypted customer data.

The use of such keys has led to further speculation that developers may offer the malware as a ransomware-as-a-service (RaaS).

Just a few days ago, a warning was sent to companies that use unpaired Pulse Secure VPN servers because it seems that Sodinokibi ransomware operators are actively focusing on these systems.

Travelex has apologized to customers who must visit the branch to order or collect their currency until the situation is limited. The persistent fraud, however, has led to frustration at the customer.

A number of customers have complained that they were “fobbed off” by the currency exchange, as noted by The Independent, with ordered currencies fixed in digital limbo and some users, currently abroad, have no longer had access to funds on Travelex ATM cards have been placed the cyber attack locked the systems of the company.

One customer complained that there was “no help, no customer service”.

Travelex has not issued any form of timeline for the recovery of services.

Under the EU General Data Protection Regulation (AVG) and the UK data protection legislation, companies are now required to inform the ICO about data breaches. However, an ICO spokesperson said that Travelex still has to submit such a report.

“Organizations must notify the ICO within 72 hours of being informed of a breach of personal information unless this does not pose a risk to human rights and freedoms,” the spokesperson added. “If an organization decides that an infringement does not have to be reported, they must keep track of it themselves and can explain why it has not been reported, if necessary.”

If this incident is deemed to be serious enough and where Travelex has insufficiently protected the computer systems and customer data it stores, the ICO may impose a fine of up to four percent of annual worldwide sales. The decision not to inform the ICO once the potential infringement has been detected can also be a factor in future fines.

