Ransomware: What is the software used to hack Travelex?
Patrick Atack
A statement seen on Travelex's website said "detailed forensic analysis is fully underway" by the firm. (Credit: https://www.travelex.com)

A statement seen on Travelex's website said "detailed forensic analysis is fully underway" by the firm. (Credit: https://www.travelex.com)

Global foreign exchange company Travelex confirmed earlier this week that it had been the victim of a so-called 'ransomware' attack - a form of cyber attack which encrypts data and will only release it when a ransom is paid. 

Since the news of the attack emerged, it has been confirmed the Sodinokibi software was used by hackers. It is also known as REvil. 


What is ransomware? 

According to the UK's National Cyber Security Centre, which operates as part of the UK's intelligence service GCHQ, ransomware is a type of malware (malicious software) that locks a computer screen or encrypts files. The point of this is to block companies from their own data, such as credit card details, or even entire systems. 

Some ransomware will only block a certain screen, usually that of the infected computer. 

But others, such as REvil, attach themselves to an entire system, working to encrypt private data. The reason Travelex has decided to turn off its systems is to stop the spread of the virus (they were still off on Thursday morning 9 January).

Some attacks, such as the now infamous WannaCry attack in 2017, will act as a "worm". This type of virus does not need a sender or a receiver to interact with it, because once it has gained access to a network it can move to separate computers on its own. 


How does the 'ransom' work? 

Hackers that use ransomware generally send messages to victims saying their computer or their files can be unlocked by transferring Bitcoin or similar cryptocurrency to the hackers. 

Most hackers target small organisations or individuals with this kind of attack, according to NCSC. "They are generally attacks of opportunity and are not normally targeted at specific individuals or systems," it says. 

In cases where a ransom is asked for, and paid, but the files are not unlocked a different name is used. These cases are called "wiper malware." 


How should I avoid malware? 

The first step is anti-phishing measures. This could be as simple as educating staff on the kind of email not to open. 

It may also help to restrict access to your network, and only allow full access to users who need it.

And perhaps most crucially: have an up-to-date back-up of all your company data. 


What next for Travelex? 

It is understood that hackers have told Travelex to transfer $6m to get their systems unlocked. The NCSC warns companies and individuals not to pay the ransom, in part because there is no guarantee it will result in the release of the property. 

"There are increasingly cases where ransomware attacks are directed specifically at an organisation with much larger ransom demands. In some cases, due to the automation involved in the attacks, ransomware has struck the same victim more than once," the NCSC website advised. 

A company statement said: "We are aware of this incident and working closely with the affected organisation to understand its impact."