Travelex, the foreign-exchange specialist with high-street presence across the UK and globally, was hit by the Sodinokibi ransomware (also known as REvil) on the 31st of December. The company took its websites and customer-facing systems offline as a precaution and has been operating manually across its retail estate for almost two weeks. The customer-impact has been substantial — branches unable to process foreign-exchange transactions in normal flow, online services completely unavailable, partner-bank arrangements (Travelex provides the back-end foreign-exchange infrastructure for several major UK retail banks) producing knock-on impacts. The press coverage has been continuous since the 4th when the disclosure became public, and the company has been visibly struggling with both the technical response and the communications response.
The operational story has, in the past 48 hours, firmed up enough to write about. The initial-access vector is, on multiple converging reports, exploitation of the unpatched Citrix ADC CVE-2019-19781 against Travelex's perimeter Citrix Gateway deployment (Bad Packets Telegram intelligence on Travelex Citrix exposure, January 7, Brian Krebs reporting). The Citrix advisory landed on the 17th of December; the mitigations were available immediately; the patches landed in mid-January but the exploitation occurred in the mitigation-only window over the new year. Travelex did not, on the public information, apply the mitigation in the available window.
The Sodinokibi operators are, on the public communications, demanding a $6 million ransom and have indicated that they have exfiltrated approximately five gigabytes of customer data, which they are threatening to publish if the ransom is not paid — the Maze-style leak-pattern that I wrote about in November is being deployed against Travelex. The negotiations have been visible in fragments through the public communications, although the operational specifics of any payment decision have not been publicly confirmed.
For the customer briefings this week, the Travelex case is the worked example I had been hoping not to see. The supply-chain-vendor-vulnerability theme from December, the targeted-ransomware-with-leak-pattern theme from November, and the operational-response theme that we have been building customer playbooks for through 2019 are all combined in a single high-profile case affecting a recognisable consumer-facing UK brand. The customer-organisation conversations this week have included, at every customer, the specific question of whether their own posture against the same combination would have produced the same outcome. The honest answer for the customer-portfolio: no, because the Citrix mitigation was applied across all customer estates in the December window, but the wider lesson on appliance-side vulnerability management and on ransomware response readiness is still operationally significant.
For our SOC, the indicators-of-compromise associated with the Sodinokibi-Travelex incident have been incorporated into the detection content. The detection coverage on customer estates against the specific TTPs (initial access via Citrix exploitation, BloodHound-style reconnaissance, Cobalt Strike post-exploitation tooling, Sodinokibi encryption deployment) is now comprehensive. The customer-organisation operational posture for the next several weeks is on elevated alert for any indications of similar campaign activity.
The wider strategic point is that the Travelex case is going to drive UK-side board-level attention to ransomware in a way that previous cases (Norsk Hydro was the closest UK-relevant precedent) have not. The customer-organisation board cycles in Q1 are going to have ransomware as a substantive agenda item rather than as a passing reference. The pen-testing engagement queue is showing the predictable uptick in customer demand for ransomware-resilience-focused engagements. The regulatory conversation — the ICO's expectations of post-incident communications, the FCA's expectations of operational-resilience posture in financial-services-adjacent firms, the NIS-Directive Operator-of-Essential-Services obligations — is going to evolve over Q1 and Q2 in ways the customer-organisation programmes need to absorb.
I will write more as the Travelex situation develops. The case will not, on the operational evidence, be quickly resolved.