Travelex Attack Signals Ransomware Focus on FinServ Industry

Travelex, the currency exchange business, on Thursday night shut down its website following a ransomware attack discovered on New Year’s Eve. But before it did so, several banks including Sainsbury’s Bank, Barclays, HSBC and others already were affected via their use of the Travelex platform.

KnowBe4’s Javvad Malik

“Details are very limited at this point as to what the cause of the attack was and to which extent Travelex systems have been impacted. The fact that the company can still conduct transactions over the counter would indicate that the attack is limited to the website and its functionality,” said Javvad Malik, security awareness advocate at KnowBe4.

“Not only does such an attack bring services down, but depending on the vulnerability exploited and the duration for which it goes undetected, it can impact customers too,” Malik added.

The attack underscored the U.S. government’s warning last month that financial services increasingly were being targeted by ongoing Dridex attacks. Dridex is a financial Trojan designed to steal banking credentials and typically spread by email phishing.

“We expect actors using Dridex malware and its derivatives to continue targeting the financial services sector, including both financial institutions and customers,” the U.S. government warned.

Whether Travelex was attacked with Dridex, a derivative, or something else is uncertain. But it’s likely part of an increasingly common combo play against financial institutions.

“Actors distributing Dridex likely employ ransomware with similar configurations. Code for BitPaymer, also known as Friedex, includes numerous similarities to Dridex, despite its function as ransomware rather than data extraction,” according to the government warning.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (DHS) and the publisher of the warning, listed several mitigation recommendations:

• Ensure systems are set by default to prevent execution of macros.
• Inform and educate employees on the appearance of phishing messages, especially those used by the hackers for distribution of malware in the past.
• Update intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included.
• Conduct regular backup of data, ensuring backups are protected from potential ransomware attack.
• Exercise employees’ response to phishing messages and unauthorized intrusion.
• If there is any doubt about message validity, call and confirm the message with the sender using a number or email address already on file.

Further, the Treasury and CISA reminded users and administrators to use the following best practices:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up to date.
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrator’s group unless required.
• Enforce a strong password policy and require regular password changes.
• Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on workstations and configure it to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
• Scan all software downloaded from the Internet before executing.
• Maintain situational awareness of the latest threats.
• Implement appropriate access control lists.
• Exercise cybersecurity procedures and continuity of operations plans to enhance and maintain ability to respond during and following a cyberincident.

Mimecast’s Carl Wearn

“This ransomware attack, against a leading currency exchange business, is indicative of the enhanced threat that ransomware now poses. Over the last year the increasingly targeted use of ransomware by criminals has affected organizations from the Coast Guard, to universities, numerous state governments and a vast range of businesses, data centers and managed service providers (MSPs) internationally,” said Carl Wearn, head of e-crime at Mimecast.

“Unless organizations up their game, and their user awareness, this threat will inevitably increase in 2020 and the tide of attacks, as currently seen, will worsen,” Wearn added.

There’s no word yet on when Travelex’s currency exchange services will be back online, but the company says it’s working as fast as possible to restore services.