clock menu more-arrow no yes

Filed under:

Travelex currency exchange is offline following a malware attack

Attackers are reportedly seeking $3 million in ransom

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Travelex, currency exchange desk at Hong Kong International Airport. Photo by: Jeff Greenberg/Universal Images Group via Getty Images

It seems bitcoin has come out swinging against fiat currency — as one of the world’s largest fiat currency exchanges is offline due to a software virus. UK currency exchange site Travelex may be subject to ransom demands to get back online and protect its customers’ data; the attackers are demanding a six-figure ransom to be paid in bitcoin, according to Computer Weekly.

Travelex took its sites offline after a hack apparently compromised some of its services, according to a statement on its US website. The site is being held hostage by ransomware, with attackers seeking about $3 million, according to The Guardian.

The company first discovered the virus on New Year’s Eve, Travelex said in its statement. According to the company, there’s no indication personal or customer data had been compromised in the incident. “The company’s network of branches continues to provide foreign exchange services manually,” the statement said.

The ransomware involved is particularly insidious, which Travelex has confirmed in a new statement to be Sodinokibi (it is also known as REvil). Sodinokibi almost acts like a software-as-a-service that allows criminals to customize it for their specific uses, according to an analysis by McAfee. The ransomware encrypted Travelex’s entire network, and the attackers gave Travelex a seven-day deadline to pay up, Bleeping Computer reported.

While the company has not confirmed how attackers accessed its systems, Travelex was warned last summer about a vulnerability in a VPN it was running and may have failed to apply an available patch, according to Bleeping Computer.

Hackers are threatening to publish personal data of Travelex customers, including social security numbers, birth dates, and credit card information, according to The Guardian. Travelex provides currency exchange services in 70 countries, allowing travelers and others to exchange their home currency for the currency in the country they’re visiting. Customers can place orders for prepaid travel cards online or at a Travelex facility, but as of Tuesday, online orders for new prepaid cards were suspended. Existing Travelex cards were continuing to function normally, according to the BBC.

The London Metropolitan Police’s cyber crime team says it is investigating the incident, CNN reports. The Verge emailed Travelex for comment; we’ll update if they respond.

Update, January 7th, 3:23PM ET: Added link to new statement from Travelex confirming that the ransomware involved was Sodinokibi.