Ransomwarecritical

Travelex: WastedLocker Ransomware Takes Down Global Currency Exchange

Travelex's entire online currency exchange network was knocked offline by WastedLocker ransomware on New Year's Eve 2019. Banks that relied on Travelex's API — including Barclays and HSBC — also lost currency exchange services for weeks.

Travelex / Evil Corp·2019·2 min read

Background

Travelex operates currency exchange kiosks in airports worldwide and provides foreign exchange APIs to major banks. On December 31, 2019, the company detected ransomware spreading across its global network. The attackers had been inside the network since August 2019.

The Attack

WastedLocker ransomware, attributed to the Evil Corp criminal group (under US Treasury sanctions), was manually deployed across Travelex's global network after months of reconnaissance. The malware encrypted all files it could reach. The attackers demanded $6 million. Because Travelex provides currency exchange infrastructure to Barclays, HSBC, First Direct, and other banks, their API going offline cascaded to all of those banks' online currency products.

Response

Travelex took all systems offline immediately to contain the spread. The company reverted to pen and paper at airport kiosks. Weeks of negotiations resulted in a reported $2.3 million ransom payment. The company rebuilt systems over the following weeks. Travelex filed for administration (bankruptcy) in August 2020, citing the combined impact of COVID-19 and the ransomware attack.

Outcome

The attack demonstrated supply chain ransomware risk: targeting a payments infrastructure provider cascades to dozens of dependent financial institutions. Travelex ultimately went bankrupt. Evil Corp members were sanctioned by the US Treasury, making ransom payments to them potentially illegal — a precedent with significant implications for ransomware victims.

Key Takeaways

  1. Ransomware against financial infrastructure providers creates systemic risk across dependent institutions
  2. Treasury sanctions on ransomware groups make paying them potentially illegal — assess before negotiating
  3. Long dwell time before ransomware deployment indicates patient, professional adversaries — hunt for intruders continuously
  4. Supply chain dependencies in financial services amplify the impact of any single ransomware attack
WastedLockerEvil Corpcurrency exchangefinancial servicessupply chain ransomware

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware