Newsletter
location
contact us

We are here for you!

Send me a message

Send me a message

Exeon Analytics AG

Grubenstrasse 12
CH-8045 Zürich
Switzerland

The timeline of a ransomware attack

The foreign exchange service provider, Travelex, had a very unpleasant start into the New Year. They became one of the latest corporate ransomware victims. A cyber attack usually consists of multiple stages, each of which can take days to months. Let’s use Travelex to explain the timeline of a ransomware attack*

By David Gugelmann, January 2020

  1. Infiltration: As a first step, the attacker needs to get into the attacked company’s network. The two main company infiltration vectors are weaknesses in the IT infrastructure (unpatched vulnerabilities, too open security perimeters, etc.) and employees being the target of social engineering. In the case of Travelex, the attackers allegedly gained access over a known but unpatched VPN server vulnerability.
     
  2. Movement: The attackers move within the network from their point of entry to the critical data/infrastructure. Since the attackers initially do not know where to find the valuable data and systems, this stage can take days, several months or even years. The Hacker group Sodinokibi, which is behind the Travelex attack, claims to have been in the Travelex network for several months.
     
  3. Data exfiltration/encryption: Once the attackers manage to access critical data and infrastructure, a cyber attack can become really damaging. At this point in time, attackers will often start to steal data, as well as encrypt critical infrastructure. According to Sodinokibi, they exfiltrated over 5 GB of sensitive customer data, including names and credit card information while Travelex reports that no data has been breached.
     
  4. Detection: Cyber attacks are often detected way too late. The infamous cyber attack on the hotel chain Marriott has only been detected four years after infiltration! Travelex only detected the attack after receiving an USD 6 million ransom ask. If the ransom will not be paid, Sodinokibi threatens to publish the allegedly exfiltrated customer data.
     
  5. Investigation and resolution of the attack: Fixing the damages caused by a cyber attack and patching all vulnerabilities is not an easy task. Today, more than three weeks after the attack has been detected, Travelex’s website is still out-of-service.
     
  6. Damages and fines: The financial damages from business interruptions alone can be horrendous. In case of a ransomware attack, the ransom is often paid, making it a very lucrative business for attackers. On top of that, potential GDPR-fines for data breaches must be added. Such fines can amount to up to 4% of the company’s annual turnover. It will take a while until Travelex will be able to assess the overall financial damage from this cyber-attack. However, the ransom alone is USD 6 million, and the potential maximum GDPR-fee could also mount up to USD 35 million**.

null

How to avoid such costs? I’m convinced that nearly every network could be breached eventually. Consequently, it is of utmost importance that companies shorten the detection time of an attack (see stage two above). Our security analytics solution ExeonTrace does exactly that. Are you interested to know more? Please feel free to book a video conference directly over this link.

 

* Exeon was not directly involved in the investigation of the attack. The presented information is reconstructed from different public sources.
** Estimation based on Travelex’s annual revenue in 2018.

 

________________

Find additional articles on the topic here: 

Travel cash services still out after Travelex hack

Travelex provides foreign-exchange services in 70 countries across more than 1,200 retail branches. After the attack, the Travalex websites went offline in at least 20 countries. Retailers must carry out tasks manually and customers remain stranded without travel money. Read full article 

What is Sodinokibi? The ransomware behind the Travelex attack

Sodinokibi, which is also known as “REvil” is a ransomware-as-a-service (RaaS) model, which has been discovered in 2019. They are usually exploiting known vulnerabilities and have been behind numerous high-profile attacks over the last year. Read full article 

Swiss hospitals are victims of ransomware attacks (in German)

The danger of Swiss hospitals being attacked by ransomware is larger than previously expected. Several hospitals have been targeted in October 2019 and the threat is not yet contained. (Article in German). Read full article 

Five ransomware attacks

Quick overview on five different attacks. The cheekiest? In my opinion Ryuk which attacked companies running on a tight deadline and cashed on the back of their time pressure. Read full article 

Back

We use cookies to help you use our website. To find out more about cookies, see our Privacy Policy.