Monday 13th January 2020

A Nasty Surprise in Supplies: Monitoring Your Supply Chain in the Wake of the Travelex Ransomware Incident

On 31st December, as the world prepared for the new decade, UK-based foreign exchange giant Travelex had other things on its mind; namely, containing a ransomware infection that had already encrypted business critical files and was threatening to spread further. To contain the incident, the company shut down its network and took websites offline in 30 of the countries it operates in.

While these measures may have prevented further infection, they had a significant knock-on effect on banks that use Travelex for their foreign exchange services, including Barclays, HSBC subsidiary First Direct, Sainsbury’s Bank and Virgin Money. Ten days into the new year, these banks are still reporting that their online foreign currency systems are unavailable. 

In the wake of the attack, the operator of the Sodinokibi ransomware, which is offered as a service on a Russian-language cybercriminal forum (see image below) has come forward to claim responsibility, threatening to release 5GB of data claimed to have been stolen from Travelex, unless the ransom demand, reportedly a £4.6 million sum, is promptly paid.

The Sodinokibi variant, which was targeted at Travelex, is sold as-a-service to affiliates, albeit only those who have significant experience with ransomware

Whether or not these threats can be substantiated, which we explore later in the article, the disruption to the businesses which rely on Travelex as part of their supply chain is clear. Usually when we talk of threats to a supply chain, we tend to speak of attacks which exploit the relationship between two organisations to pivot from one to another. Although none of the banks listed above were actually breached, the disruption to Travelex still had a substantial knock on effect.

Unlike attacks which pivot from a supplier to your organisation, which can be mitigated in part by applying additional security measures, attacks like the one that targeted Travelex might appear, frustratingly, to be out of your organisation’s control, as they entirely rely on the supplier’s security posture. However, through Orpheus’ services, your company can better manage and understand the threats facing your supply chain, as we demonstrate in three points below:

1. Vulnerability insight

The attackers behind the Travelex incident are thought to have breached the company via a critical vulnerability affecting enterprise VPN solution Pulse Secure Connect. Despite a patch being available for months, Travelex failed to apply the necessary updates, providing the attackers with a potential route in.

This shows the importance of establishing visibility into your supply chain with regards to vulnerabilities your suppliers face. Orpheus’ Cyber Risk Rating dashboard can provide you with this information, allowing you to anticipate incidents of the kind that proved so disruptive to Travelex’s banking clients.  

2. Big game targets

Another key aspect of the Travelex incident is that it aligns with a trend in ransomware towards “big game hunting”. This is the increasing tendency for ransomware operators to pursue larger organisations, often with global operations. Previous examples include the Ryuk variant targeting shipping giant Pitney Bowes last October and Spanish security multinational Prosegur a month later. The presumed rationale behind this targeting is that attacks on such organisations will generate more media coverage, increasing the pressure on the victim to pay the ransom which, due to the company’s size, can be a higher fee than that demanded of smaller victim organisations. Moreover, companies with global operations are likely to have complex supply chains, meaning that many other organisations are likely to be impacted, again increasing the pressure on the victim to swiftly resolve the situation.

Given this targeting trend, we would advise organisations seeking to assess the security of their supply chains to particularly focus on these larger companies which present more visible targets to attackers. Again, this is a visibility that can be gained through Orpheus’ Cyber Risk Rating dashboard which, in listing all the companies in your supply chain, allowing you to determine which are potentially more attractive targets from an attacker’s point of view.

3. Data leak extortion

It is also worth considering the nature of a knock on effect from a supplier being targeted. In most cases, this consists of a disruption to services, either because critical systems have been encrypted or the supplier has deliberately shut down such systems to halt the spread of an infection. While this presumes the use of ransomware, ransomware is much more likely to have a knock on effect for a supplier’s clients than, for example, a banking trojan or cryptocurrency miner infection, as the impact of these are relatively contained, rarely requiring network-wide shutdowns.

The nature of the impact of these ransomware infections is evolving, however, and so too is the potential threat to organisations for which the victim is part of their supply chain. In another growing trend, ransomware operators are increasingly stealing, or claiming to have stolen, their victim’s data. By doing so, the perpetrators have an additional means of extortion if their victim refuses to pay the ransom to decrypt their data. And if your supplier is the one subject to this extortion, it could potentially be your data at risk of being exposed.

As mentioned above, Travelex was the target of such threats, with the perpetrator claiming to have stolen sensitive data such as social security numbers, dates of birth and payment card details (see image below). The release of such details could further impact Travelex’s banking clients, as information such as card data would likely belong to the banks and their customers. However, it is unclear whether the attackers actually stole any data as Travelex would have been required to report the incident as a data breach within 72 hours under GDPR, or face a fine, and such a disclosure has yet to be made.

Sodinokibi’s operator claims to have stolen sensitive data such as social security numbers from Travelex, though these claims are not substantiated

Whatever the case regards Travelex, other ransomware operators have met their claims by actually releasing their victim’s data, and we assess this behaviour will likely become more common. Organisations can keep track of such emerging trends, and the potential implications for their supply chains, by subscribing to Orpheus’ bespoke Threat Intelligence dashboard, which includes a large, regularly updated, database of intelligence reports.  

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.