A ransomware gang attacked Travelex the foreign exchange company on New Year’s Eve.
Ransomware is a kind of online attack where criminals take control of data, usually company data, and demand payment to return it.
There are two main types of ransomware: crypto and locker.
The first encrypts data and files so that users can no longer read anything.
In theory you will get a key to unencrypt the files after you pay a ransom to the crooks. Locker ransomware is similar, but it typical locks down the computer so it can’t be used until the ransom is paid.
After the Travelex attack, the company closed down the websites it operates in 30 countries. It said the move was designed to “contain the virus and protect data”.
That doesn’t quite sound right. After all, it emerged the criminals had been inside the company’s systems for the past six months. By the time of the attack there would little left to contain or protect.
The criminals say they have downloaded many gigabytes of sensitive customer data. This includes dates of birth, credit card information and (British) national insurance numbers.
News reports say the criminal gang asked Travelex to pay US$6 million at first, with the demand ratcheting up over time if it wasn’t paid quickly. It’s not clear if the company paid up.
New Zealand link
There is a New Zealand link. After the attack, the company’s branches, which include airport currency exchanges, were still providing services but were using manual processes.
Travelex is also the issuer of Air New Zealand’s OneSmart card. The card makes it easier to deal with money when overseas. It can be loaded with money in as many as eight different foreign currencies before a trip. Users can lock-in exchange rates to avoid fluctuations while they are overseas.
Air New Zealand says the card is not affected by the attack.
The company told the NZ Herald: “OneSmart does not use the Travelex foreign exchange services affected by the attack so Onesmart cardholders are not impacted”.
Ransomware going out of fashion
The Travelex attack happened at a time when ransomware incidents are falling fast. Last year the number of attacks dropped 20 per cent as online criminals turned to more lucrative alternatives.
In part the fall in ransomware attacks is because companies are doing a better job at protecting themselves.
The best approach to protection is to have data back-ups so everything ransomed can be recovered quickly. While this sounds simple, it’s something many companies struggle with and criminals know that. Among other matters companies tend to make back-ups without checking the data is recoverable.
Another problem is that a sophisticated ransomware attack can also take control of the back-ups rendering them as unusable as the main data store.
A ransomware attack amounts to a much bigger problem for the victim than the ransom demand. In many countries companies can face fines for not properly and promptly reporting an attack to the authorities.
At the same time, allowing data to be ransomed is often actionable under data protection legislation. At the least a company would need to prove it had taken due care with customer data, that’s hard to do after a ransom attack.
There’s another unpleasant twist to a ransomware attack. While the criminals often release keys after the ransom is paid, that doesn’t always happen. And in at least one reported case, the data was ransomed again by the same gang at a later date. Allowing that to happen is an open and shut case of negligence.
Responding to ransomware
If you are attacked by a ransomware gang, you may need professional help to recover data. Before you get to that stage you need to consider how to respond.
The NZ Police recommend you don’t pay the ransom. That’s understandable and makes sense if there’s a good chance of recovering the data.
Some security experts say that paying the ransom is the smartest course of action. It is often cheaper and, if you don’t have back-ups, quicker than other ways of recovering the data.