Opinion | Tuesday, 28th January 2020

The Travelex cyber attack explained

Dr Thomas Martin explores the recent cyber attack on the foreign currency exchange giant

MMU Cyber Security
The Travelex cyber attack was caused by Sodinokibi malware

By Dr Thomas Martin, Senior Lecturer in Computing, Mathematics and Digital Technology at Manchester Metropolitan University, and contributor to the Greater Manchester Cyber Foundry project.

How did Sodinokibi get in?

Travelex was recently hit by Sodinokibi – a ransomware malware that saw hackers threaten to release customer data, including credit card information, if a large ransom was not paid to those responsible.

At the time of the attack, Travelex confirmed that the hack had been caused by Sodinokibi. They also confirmed they had found evidence that some of their data had been encrypted, but not exfiltrated, or stolen for simpler terms.

This makes sense as this particular virus is used to encrypt files, which essentially stops a company or individual from accessing them – as oppose to a breach, which sees public data exposed.

Sodinokibi is also an example of ransomware-as-a-service, which is the term used when criminals develop a ransomware, which is then used by a network of other criminals. This practice is relatively new to the cyber world.

Many years ago, when we would see cyber attacks, the hackers would be working independently. They would launch ransomware attacks themselves and were limited in what they could achieve as a small-scale organisation.

Nowadays, what we are seeing are much larger scale attacks facilitated by ransomware-as-a-service. This is the definition of organised crime and involves complex systems built from very advanced software, with sophisticated infrastructure behind it.

With ransomware-as-a-service, we see two very clear, very different roles.

Firstly, there is the developer of the malware. The developer’s role is to set up, encrypt and extort ransom from the victims, which they do by encrypting all the files on the system of their target.

When this happens, everything is out of access – cannot be used, cannot be read, nothing can be done until the ransom is paid.

Then there is the second role – the affiliate. Their part is getting the malware into a system – infecting that system, breaking in and finding a way to run that malware.

What this means on the face of it is you have your malware, provided by a developer, which is then provided to a network of affiliates – a lot like providing them with a service. These affiliates are across the globe and are using different mechanisms to infect people’s machines with that malware.

So what does this mean in the grand scheme of things? Well back before ransom-as-a-service, when there was a new attack, people would say, ‘if you do X you’ll be safe’, and you were then protected from that particular malware. For example, you could block that specific software and then be safe.

However, with Sodinokibi and other attacks of this nature, there are so many different ways in which they can get the malware into a system due to the many different affiliates. This means there is no one way to block an attack.

There are lots of different ways in which people can be affected too. We are seeing a lot of phishing attacks. These are very common and involve everyday people sending email links and clicking on them.

We are also seeing many remote desktop protocol (RDP) attacks. RDP essentially allows users to connect to other computers over a network connection. Attacks of this nature are very popular.

When companies or individuals have weak passwords and credentials, this can also make them vulnerable to an attack. Likewise, even those with strong passwords can become targets if those passwords have been broken in another location.

So, there are many ways in which Sodinokibi could have gotten into this particular system, or others, and these highlight just a few of them.

Immunisation from ransomware

The fact of the matter is these attacks do happen. It is the cost of doing business online. But, it is still possible to protect yourself the best way you can.

Ransomware attacks encrypt files on the system they are targeting, either all files or vital files.

Whether it is a big company, or just one individual who finds themselves a victim of a ransomware attack, it is an unpleasant fact but a fact all the same – there are files we need, files we value and files we want. If something happens to those files, we are going to try and get them back. In many cases, we might even pay to do so.

How can we fight back against cyber attacks? Ensuring files are backed up is one way.

That said, hindsight is 20/20 is it not? It is easy to say ‘just back everything up’, and then you will still have all of those important files. But, for a company as large as Travelex, backing up files is not always going to be that easy.

It is very, very difficult for a large organisation to be able to say everything in our system can be locked away and we are instantly going to be able to set it back up, at little cost and little delay, in the event of a cyber attack.

So, even if Travelex did have a backup – it would not have solved all of their problems! That is not how businesses can run.

Where there are backups, there is always going to be a cost to restore from them – whether it is in time or money, or both. And there is always the possibility that there is going to be some lost data.

There are also steps to be taken to try to prevent the malware getting in to begin with. A lot of the advice given around this is the usual, but there is still work to be done to raise further awareness of these methods and ensure everyone is undertaking them the best they can.

Everyone knows passwords need to be secure. If you take shortcuts, then you are more likely to be attacked, it is that simple. Another one to be aware of is that systems need to be updated – if you have an update, always do it.  

Looking forward at more drastic changes that need making – moving away from passwords altogether is something we should be looking at doing.

The fact is, as diligent as you can be with passwords; they are fundamentally a weak way of authentication.

Cryptographic mechanisms, which support confidentiality by encrypting communications, are great frontline protection.

When protecting remote access to their systems, an organisation does not want the first challenge to be ‘can you correctly guess the password?’ as there are too many ways that can go wrong.

With the cryptographic protections of a virtual private network (VPN), the first challenge for anyone trying to get in, whether user of malicious attacker, is ‘do you have the required private key?’.

This is a much stronger approach and can be used in a variety of different circumstances.

With all of this in mind, it is also worth making the point that no two companies are the same. So, it is worth each individual organisation looking at their own unique cyber needs. What are the particular threats to them? What do they need to protect against?

This closely mimics the work I do with the Manchester Cyber Foundry.

More articles