Travelex Pays $2.3M in Bitcoin to Hackers Who Hijacked Network in January

The payout stems from a system-wide attack that knocked global networks offline on New Year’s Eve and reflects a shift in thinking about ransom payouts

Travelex has paid out $2.3 million in Bitcoin to hackers to regain access to its global network after a malware attack at the new year knocked the global currency exchange offline and crippled its business during the month of January.

The move—reported by the Wall Street Journal—may seem counterintuitive, as experts in the past have typically recommended that companies refrain from paying threat actors ransom when such scenarios occur.

However, this mindset has been shifting as attacks become more and more sophisticated and paying ransoms to hackers has less of a detrimental financial effect on a business than continuing to be locked out of systems.

Travelex said in this case it was experts who advised the company pay those responsible for the New Year’s Eve attack, which forced the company to shut down its online services and its mobile app. The attack left retail locations to carry out tasks manually and many customers stranded without travel money, while global banking partners also were left adrift with no way to buy or sell foreign currency.


Image courtesy of Travelex

Travelex is a ubiquitous fixture at airports, providing foreign-exchange services in 70 countries across more than 1,200 retail branches. The attack resulted in Travelex websites in at least 20 countries going offline, which hamstrung the company’s business as well as caused major problems for banking partners like Barclays, First Direct, HSBC, Sainsbury’s Bank, Tesco and Virgin Money.

Travelex has kept partners and regulators apprised of the situation since the attack, which was blamed on a Sodinokibi ransomware strain. The criminals demanded a six-figure payout in return for the decryption key and directed the company to a payment website hosted in Colorado, Travelex revealed about a week after the attack.

A recent report found that while payouts like the one Travelex made are not always made public, the majority of companies these days that are hit with ransomware attacks end up paying the hackers to spare themselves the hassle and financial penalty of the damage—financial and otherwise–having their networks shut down can cause.

The “2020 Cyberthreat Defense Report” from security firm PerimeterX found that 62 percent of the 1,200 IT security decision makers and practitioners who responded to the survey said their networks had been compromised by ransomware, with most of those paying the ransom in the end to free networks from the hands of hackers.

A report last year from Forrester Research also suggested that paying a ransom could be a good business practice alongside other efforts recovery efforts, as it’s typically impossible to completely recover data and systems even in an organization’s best-case scenario of having good back-ups.

“Forrester’s guidance is not a recommendation of whether or not to pay a ransom but to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organization,” Forrester Principal Analyst Josh Zelonis wrote in the report.

Organizations are clearly beginning to take this advice, especially those that don’t have a raft of security or technical support to recover systems once they’ve been compromised. Local governments in particular are vulnerable to more financial debt to try to recover systems if they don’t pay ransoms than if they do, researchers said.

A city in Florida last June paid $600,000 to hackers to recover data after a ransomware attack, a move criticized by security experts. However, the city of Baltimore experienced a highly publicized ransomware attack last year with a financial impact estimated at $18.2 million versus the $76,000 of bitcoin the hacker demanded, making the decision not to pay “shortsighted,” Zelonis noted in his report.

Indeed, as the cost of not paying ransom continues to become higher than just giving in to hackers’ demands, it’s likely going forward that high-profile ransomware payouts like the one Travelex made will happen more often.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles