Sodinokibi ransomware plagues Travelex currency exchange as investigation continues

The company's website was still offline at press time.
A Travelex booth at Melbourne International Airport in Melbourne Australia. A days-long ransomware attack against Travelex has forced the British currency exchange to suspend many of its online operations. (Getty Images)

A days-long ransomware attack against Travelex has forced the British currency exchange to suspend many of its online operations as the United Kingdom’s Metropolitan police investigate the incident.

The company said on Dec. 31 it would suspend all of its online services, including its app and internal email systems, to mitigate a cyberattack it detected that day. Two days later, Travelex contacted the Metropolitan police, seeking help to resolve the situation. Normal operations hadn’t been restored, the BBC reported Tuesday, with hackers reportedly demanding a $6 million ransom (£4.6 million) to unlock the affected data.

The firm’s website was still offline at press time, citing planned maintenance. “The company’s network of branches continues to provide foreign exchange services manually,” the firm said in a Jan. 2 tweet.

In a statement Tuesday, Travelex said ransomware attackers used the malware strain known as Sodinokibi, or REvil, in the hack. There is “no evidence that structured personal customer data” has been encrypted, the company said.


“Having completed the containment stage of its remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems,” the statement went on. “To date the company has been able to restore a number of internal systems, which are operating normally.”

Travelex, a subsidiary of United Arab Emirates-based Finablr, operates 1,200 locations in 70 countries, and is perhaps most visible in international airports. Finablr went public on the London Stock Exchange last year, propelled in part by the $1 billion (£826 million) in Travelex’s group revenue through 2018. Shares of Finablr had dropped by 6% Tuesday as fallout from the attack continued.

Hackers claimed to the BBC that they downloaded 5GB of sensitive information, including customers’ dates of birth, credit card information and Social Security numbers.

Last year, researchers told StateScoop that hackers had aimed the Sodinokibi ransomware at a number of towns and municipalities in Texas. In April, threat investigators from Cisco’s Talos team reported attackers were leveraging a flaw in an Oracle’s WebLogic Server to distribute Sodinokibi malware.

This attack coincided with a U.K. investigation into whether a trading outage on the London Stock Exchange last year was caused by a cyberattack, according to the Wall Street Journal. There’s nothing to suggest that incident is connected to the Travelex breach.



Update, Jan. 7, 3:13pm ET: This story has been updated to include Travelex’s statement. 

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts