Sodinokibi Cyber Attacks

Welcome to the CyberCure Bi-Weekly podcast trascript.

This podcast will give you a summary of the latest news related to cyber intelligence and proactive cyber security in only a few minutes.

The podcast is aimed at professionals who are short on time, or for anyone who would like to know a bit more about what is REALLY happening out there in the cyber world.

The focus of this podcast will be on the latest cyber events for non-technical people; anyone can listen and understand.


This recent weeks some interesting cyber attacks took place, in this special podcast we will try to give some insights about them and explain also to non technical people. podcast

Travelex is an exchange company headquartered in London. Its main businesses are international payments and issuing prepaid credit cards for use by travellers and some other financial services. 

It is most likely that you encountered the brand at some point as this is a major company working all over the world.

On 31 December 2019, Travelex was officially got hit by a ransomware and took its websites and mobile apps offline and reported about the cyber attack.

A week later, it was revealed that the entire company was being held to ransom known as revil but also known as Sodinokibi. 

This group have been attacking different companies for several months and demanded ransom in exchange.

Image result for Sodinokibi
Source: MalwareebytsLab

 The attackers behind this ransom attack were demanding a $3 million ransom or they would release the data containing Date of birth, Social Security Numbers and credit cards of travelex clients.  

Apparently Travelex refused to pay and This amount was doubled when time passed and they required  $6 million.

To make it even worse the attackers contacted different media outlets and announced that they are going make Travelex pay one way or another,

They claimed to have had access to Travelex’s network for six months and to have extracted five gigabytes of customer data.

recently posts in Russian forums which are being used by the group started to appear, describing they are planning to start selling the data soon.

This group is known to use what is known as RaaS model,

For those not familiar with the term RaaS Ransomeware as a Software, 

it is when a ransomware developer allows other “affiliates” to distribute their ransomware in exchange for a portion of the ransom payment. Typically that way the developers of ransomware can reach large distribution and use the best minds out there to execute sophisticated attacks.

For example in the case of Travelex The attack could have been successful in part because security researchers says Travelex took several months to patch critical vulnerabilities in its Secure VPN servers but it might be that the attack itself was executed by someone else than the ransomware developer himself.

source: McAfee

Last week, the attackers posted a new post on russian forum containing almost 400MB of data claims that this data belongs to Artech Information Systems, who describe themselves as a one of the largest IT staffing companies in the U.S, and that they will release more if a ransom is not paid.

If thats true it means that the attackers of travelex might be telling the truth and that they might have actually got the data of travelex clients. 

However, in Travelex case it seems that they chose not to pay the ransom and decided to do it on their own.

Travelex did informed on their websites about the progress they are making in recovering and as of lately the latest update said that it continues to make good progress with its technology recovery. Having already restored some of its internal and order processing systems, the company is now starting to restore customer-facing systems, beginning with the in-store systems that process customer orders electronically.

They also claim that there are no evidence of loss of customer data and they informed the law authorities.

Are we going to see mass distribution of Travelex data in the soon future ?

Till recently the common practice was that the ransomware is usually deleting the stuff on the computer, Is there a new standard in ransomware attacks were instead wiping the data , attackers just release it to anyone who wants it ?

As always in intelligence, there are many pieces out there and its about analysts to connect the dots and give potential clients a chance to fight back. 

Check out cybercure or Nucleon Cyber , it might help you prevent the next attack.

That’s it for this podcast, stay safe and see you in the next podcast.

Don’t forget to visit for the latest podcasts on cyber intelligence.


Leave a Reply