REvil Ransomware: "Pay Us One Way Or The Other!"

Ransomware-Image-1The Wall Street Journal and Bleeping Computer reported that Travelex, a foreign-currency exchange company, was hit by the ReVil/Sodinokibi actors on New Year's Eve and that its network data was encrypted and their customers were unable to take orders. 

On January 7, Bleeping Computer confirmed the Sodinokibi Ransomware actors were demanding a $3 million ransom or they would release the data containing "DOB SSN CC and other".  This amount was later changed to $6 million."

Travelex released a public statement confirming the encryption and said it did not have evidence of the exfiltration of data at this point in time.

"While the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil. Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted; there is still no evidence to date that any data has been exfiltrated."

Bleeping Computer's Lawrence Abrams, who was in contact with the REVil group confirmed that REVil was behind the hack and that REVil claims to have exfiltrated 5 Gigabytes of Travelex data.  Abram's noted that although REVil has not released data so far.

Pay Up One Way Or Another

REVil continued to use its psychological extortion/negotiation tactics by revealing to Abrams that REvil spokesman, aka "UNKN" posted a message on a Russian hacker forum.

"There are no seats. And not planned. Travelex recommend starting to raise funds for payment, or DOB + SSN + CC will be sold to anyone.” {No seats presumably meaning they are not  accepting any new affiliates at this time}

In other words, if you don't pay us, we'll profit from the data from other means. 

REVil, aka Sodinokibi, is said to exfiltrate data before encrypting the network as an added extortion incentive for victims to pay up or else face public disclosure of information. A resulting cascade of nasty consequences for the victims include disclosure of PII, thus triggering data breach reporting requirements and the resulting governmental and third party legal headaches, potential crashing stock prices, fines, and the consequences of disclosure of confidential or proprietary information. REVil knows that large data breaches have sometimes resulted in crashing stock prices of up to 6%.

The REVil actors have several victims under their infection belt and are are still in negotiations with some of them. Some have paid and others have not -- at least not yet.

The WSJ reported, the Ransomware attack disrupted cash deliveries from its global network of vaults to major international banks.

According to the Journal, "Banks in the U.K., including units owned by Barclays BCS -0.74% PLC, Lloyds Banking Group PLC, as well as Westpac Banking Corp. WBK +0.46% in Australia said Thursday they were unable to take orders from customers in branches that rely on Travelex to supply cash in foreign currencies. The banks’ online retail foreign-currency exchange services, which are outsourced to Travelex, were also shut off." recently reported that some of Samsung pay customers' global cross border transactions were also affected.

The company shut down its systems to contain the ransomware infection and the internal networks and consumer-facing websites and app have been offline since the attack."

Wall Street Journal has the story

Free Ransomware Simulator Tool

Threat actors are constantly coming out with new strains to evade detection. Is your network effective in blocking all of them when employees fall for social engineering attacks?

KnowBe4’s "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 24 ransomware infection scenarios and 1 cryptomining infection scenario and show you if a workstation is vulnerable.

RansIm-Monitor3Here's how it works:

  • 100% harmless simulation of real ransomware and cryptomining infections
  • Does not use any of your own files
  • Tests 25 types of infection scenarios
  • Just download the install and run it 
  • Results in a few minutes!

Get RanSim!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Ransomware

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews