{
	"id": "e42cb961-4d62-4398-957b-6d199a331c5e",
	"created_at": "2026-04-06T00:17:00.887806Z",
	"updated_at": "2026-04-10T13:12:18.532274Z",
	"deleted_at": null,
	"sha1_hash": "d308f8c145ff824d49f16ab69a3ab647ae8f5032",
	"title": "Sodinokibi Ransomware Behind Travelex Fiasco: Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64735,
	"plain_text": "Sodinokibi Ransomware Behind Travelex Fiasco: Report\r\nBy Tara Seals\r\nPublished: 2020-01-07 · Archived: 2026-04-05 18:46:24 UTC\r\nResearchers suspect the cybercriminals attacked using an unpatched critical vulnerability in the company’s seven\r\nPulse Secure VPN servers.\r\nThe Sodinokibi ransomware strain is apparently behind the New Year’s Eve attack on foreign currency-exchange\r\ngiant Travelex, which has left its customers and banking partners stranded without its services.\r\nThe criminals behind the attack are demanding a six-figure sum in return for the decryption key, according to\r\nreports, and are directing the company to a payment website hosted in Colorado.\r\n“It is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do\r\nour work and liabilities – nobody will not co-operate with us. It is not in our interests,” the readme file for the\r\nransomware, obtained by Computer Weekly, said. “If you do not cooperate with our service – for us it does not\r\nmatter. But you will lose your time and your data, cause just we have the private key. In practice time is much\r\nmore valuable than money.”\r\nSodinokibi, also known as REvil, appeared in April 2019. It has been responsible for a string of high-profile hits,\r\nincluding attacks on 22 Texas municipalities and various dentist offices around the country. Researchers from\r\nSecureworks Counter Threat Unit (CTU) believe that the group behind the infamous GandCrab ransomware,\r\nwhich earlier this year claimed to have retired, is actually responsible for Sodinokibi, given that the string\r\ndecoding functions and other code aspects employed by Sodinokibi and GandCrab are nearly identical.\r\nTravelex, a ubiquitous fixture at airports, provides foreign-exchange services in 70 countries across more than\r\n1,200 retail branches. The attack resulted in Travelex websites in at least 20 countries going offline, left its retail\r\nlocations to carry out tasks manually, and many customers remain stranded without travel money. Its global\r\nbanking partners, including Barclays, First Direct, HSBC, Sainsbury’s Bank, Tesco and Virgin Money, have also\r\nbeen left adrift with no way to buy or sell foreign currency.\r\nIt’s unclear whether the company plans to pay the ransom, and it has offered no timeline on cleanup. While the\r\ncompany has admitted the attack, many of its websites merely are showing a warning screen saying that they’re\r\ndown for “planned maintenance.”\r\nIt has not returned Threatpost’s requests for comment.\r\nUnpatched Pulse Secure Servers\r\nhttps://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/\r\nPage 1 of 3\n\nThe attack could have been successful in part because Travelex took several months to patch critical\r\nvulnerabilities in its Pulse Secure VPN servers, according to Bad Packets.\r\nPulse Secure offers a popular enterprise remote access family of products. The company issued an urgent patch for\r\ntwo critical vulnerabilities in its Zero Trust VPN product in April. CVE-2019-11510 is an arbitrary file reading\r\nvulnerability allows sensitive information disclosure enabling unauthenticated attackers to access private keys and\r\nuser passwords, according to the advisory; further exploitation using the leaked credentials can lead to remote\r\ncommand injection (CVE-2019-11539) and allow attackers to gain access inside private VPN networks.\r\n“That vulnerability is incredibly bad — it allows people without valid usernames and passwords to remotely\r\nconnect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls,\r\nremotely view logs and cached passwords in plain text (including Active Directory account passwords),”\r\nexplained researcher Kevin Beaumont (a.k.a. Gossi the Dog), in a posting this week.\r\nHe said that in August, he became aware that public exploits had been made available and that cybercriminals\r\nincluding APTs were actively scanning the internet for the issue (using public tools like the Shodan search\r\nengine). A corresponding report from Bad Packets that month indicated that major cyberattacks could be\r\nimminent.\r\n“On August 25th 2019, Bad Packets scanned the internet and found almost 15,000 endpoints across the world had\r\nthe issue directly exploitable,” Beaumont noted. “Those results included networks at governments across the\r\nworld — many incredibly sensitive organizations included — and basically a list of the world’s largest companies.\r\nIt was clear organizations were simply not patching.”\r\nOne of these organizations was Travelex, which had seven unsecured Pulse Secure servers, according to Bad\r\nPackets; it also said that the company waited until November – eight months after the vulnerability disclosure – to\r\npatch the issues.\r\nhttps://twitter.com/bad_packets/status/1213536922825420800?ref_src=twsrc%5Etfw\r\nBad Packets indicated that this lag time could have provided the window in which the cybergang infiltrated the\r\nTravelex network – a speculation that is somewhat supported by Pulse Secure itself, which issued a statement this\r\nweek that it has indeed seen the Sodinokibi ransomware being delivered via exploits for the vulnerabilities.\r\n“The ransomware situation at Travelex shines a harsh spotlight on the potential devastation of a cybersecurity\r\nincident,” Jonathan Knudsen, senior security strategist at Synopsys, said in an emailed statement. “The lost\r\nbusiness and negative publicity from a scenario such as this can be crushing. Ransomware continues to be a\r\npopular tool for cybercriminals…If you fall victim to a ransomware attack, you must have a plan ready to execute.\r\nThe plan should include removing infected systems from your network, wiping them and reinstalling the operating\r\nsystem and applications, then restoring data from your backups.”\r\nConcerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile\r\nApp Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and\r\nlegal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at\r\na time. Click here to register.\r\nhttps://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/\r\nPage 2 of 3\n\nSource: https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/\r\nhttps://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/sodinokibi-ransomware-travelex-fiasco/151600/"
	],
	"report_names": [
		"151600"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434620,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d308f8c145ff824d49f16ab69a3ab647ae8f5032.pdf",
		"text": "https://archive.orkl.eu/d308f8c145ff824d49f16ab69a3ab647ae8f5032.txt",
		"img": "https://archive.orkl.eu/d308f8c145ff824d49f16ab69a3ab647ae8f5032.jpg"
	}
}