{
	"id": "84ed7894-0cdb-4778-b399-b266b4a38842",
	"created_at": "2026-04-06T00:11:01.524473Z",
	"updated_at": "2026-04-10T13:12:24.666314Z",
	"deleted_at": null,
	"sha1_hash": "4df1f6484f1e6bcea17a12528d83c4ac8b3e7620",
	"title": "Sodinokibi Ransomware Hits Travelex, Demands $3 Million",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1952816,
	"plain_text": "Sodinokibi Ransomware Hits Travelex, Demands $3 Million\r\nBy Ionut Ilascu\r\nPublished: 2020-01-06 · Archived: 2026-04-05 15:46:50 UTC\r\nIt's been more than six days since a cyber attack took down the services of the international foreign currency exchange\r\ncompany Travelex and BleepingComputer was able to confirm that the company systems were infected with Sodinokibi\r\nransomware.\r\nThe attack occurred on December 31 and affected some Travelex services. This prompted the company to take offline all its\r\ncomputer systems, a precaution meant \"to protect data and prevent the spread of the virus.\"\r\nAs a result, customers could no longer use the website or the app for transactions or make payments using credit or debit\r\ncards at its more than 1,500 stores across the world. Hundreds of customer complaints came pouring in via social media\r\nsince the outage began.\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIn replies to customers today, Travelex was unable to provide updates about progress on restoring its services. In the\r\nmeantime, the company shows a cyber incident notification on the main page of its website and \"planned maintenance\" on\r\nother pages.\r\nAll network locked, files stolen\r\nOn January 3, ComputerWeekly magazine received inside information that the London-based foreign currency exchange\r\ncompany fell victim to a ransomware attack, albeit the malware family remained unknown.\r\nThe same news outlet today reported that the ransomware used in the Travelex attack is Sodinokibi.\r\nBleepingComputer was able to independently confirm that Travelex systems were indeed infected by REvil ransomware. We\r\nwere told that the extension added to some of the encrypted files was a string of more than five random characters, similar to\r\n.u3i7y74. This malware typically adds different extensions to files locked on other computer systems.\r\nIn addition to the ransom note, the Sodinokibi crew told BleepingComputer that they encrypted the entire Travelex network\r\nand copied more than 5GB of personal data, which includes dates of birth, social security numbers, card information and\r\nother details.\r\nWe were told that they deleted the backup files and that the ransom demanded was $3 million; if not paid in seven days\r\n(countdown likely started on December 31), the attackers said they will publish the data they stole.\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/\r\nPage 3 of 5\n\nTravelex left the door open\r\nDetails about how the intrusion occurred are not available at the moment but Travelex was running insecure services before\r\nthe incident, which could explain how the attacker may have breached the network.\r\nThe company is using the Pulse Secure VPN enterprise solution for secure communication, which was patched last year\r\nagainst an \"incredibly bad\" vulnerability (CVE-2019-11510), as security researcher Kevin Beaumont describes it in a recent\r\nblog post.\r\nOn unpatched systems, the flaw \"allows people without valid usernames and passwords to remotely connect to the corporate\r\nnetwork the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached\r\npasswords in plain text (including Active Directory account passwords),\" Beaumont explains.\r\nA public exploit for this has been available since August 21, 2019. Soon after, someone started scanning the internet for\r\nvulnerable endpoints.\r\nTroy Mursch, chief research officer at Bad Packets, found about 15,000 systems that were directly exploitable via this\r\nsecurity issue. Mursch then started to contact organizations at risk, warning them about the danger of leaving their systems\r\nunpatched.\r\nTravelex was one of the companies Mursch alerted of the issue but he did not get a reply:\r\nAttackers typically spend significant time on the network before deploying the ransomware and encrypting files. This is to\r\nget familiar with the network and find systems with important data and backups, to increase their chances of getting paid.\r\nFurthermore, Kevin Beaumont discovered that Travelex had on its Amazon cloud platform Windows servers that were\r\nexposed to the internet and did not have the Network Level Authentication feature enables. This means that anyone could\r\nconnect to the server before authenticating.\r\nUpdate [06/01/2020, 18:26 EST]: Pulse Secure issued a statement today about ransomware actors exploiting unpatched\r\nVPN servers. The company is not validating any recent findings as it does not have any data about the attacks.\r\n\"As of now, we are unaware of receiving reports directly from customers about this derivative exploit – no firsthand\r\nevidence,\" Pulse Secure told BleepingComputer.\r\nThe current communication underlines that a patch for the software is available since April 24, 2019, and that customers\r\nwere informed multiple times about the fix, via emails, in-product and support website notifications.\r\n\"Actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products –\r\nand in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the\r\nRansomware through interactive prompts of the VPN interface to the users attempting to access resources through\r\nunpatched, vulnerable Pulse VPN servers.\" Scott Gordon (CISSP), Pulse Secure Chief Marketing Officer.\r\nSince the release of the patch, support engineers have been available 24x7 for customers needing help to solve the problem,\r\nincluding those not under an active maintenance contract.\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/\r\nhttps://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/"
	],
	"report_names": [
		"sodinokibi-ransomware-hits-travelex-demands-3-million"
	],
	"threat_actors": [],
	"ts_created_at": 1775434261,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4df1f6484f1e6bcea17a12528d83c4ac8b3e7620.pdf",
		"text": "https://archive.orkl.eu/4df1f6484f1e6bcea17a12528d83c4ac8b3e7620.txt",
		"img": "https://archive.orkl.eu/4df1f6484f1e6bcea17a12528d83c4ac8b3e7620.jpg"
	}
}