Foreign Exchange Company Travelex Being Held To Ransom By Hackers (bbc.com) 64
Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper. From a report: On New Year's Eve, hackers launched their attack on the Travelex network. As a result, the company took down its websites across 30 countries to contain "the virus and protect data." A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6 million. The gang, also known as REvil, claims to have gained access to the company's computer network six months ago and to have downloaded 5GB of sensitive customer data. Dates of birth, credit card information and national insurance numbers are all in their possession, they say. The hackers said: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."
Not too big to fail. (Score:4, Interesting)
Only 6500 employees and less than $1bn market cap. These guys are not too big to fail. If the hackers don't sink them then the regulator should for failing to take security precautions while handling other people's money.
Re: (Score:2)
Re: (Score:2)
Sad yes, but not too big to fail. 6500 people punished to prove to corporations that profit is not everything may be acceptable. 65000 people and suddenly you're too big to fail and if you prioritise profits over ethics and compliance your local government will have your back.
Re: (Score:2)
With complex machinery (and corporations), it only takes one small thing to go wrong and the whole house of cards comes tumbling down. Almost every major company downfall has been caused by less than 1% of the staff doing something either incompetently, unethically, or downright illegal. Travelex won't be the last
Re: (Score:2)
It's NOT a single IT person, Ever. It is ALWAYS the CEO's fault, period.
The CEO allowed their IT teams to choose Windows based systems, the CEO did not take security seriously, and the CEO may not have allocated a budget for proper security audits, education, maintenance, etc.
The CEO basically failed to understand their company exists in the year 2019 (now 2020), a time in which the internet is a wild west and hacks are not a question of IF, but a question of WHEN.
Re: (Score:2)
Re: (Score:2)
Does anyone have a GDPR contact address for them?
I've been working my way through companies getting my data deleted but unfortunately have not got to T yet.
Now I'm going to give them the full Monty. Request all data, all polices, details of their secure storage systems, details of the breech etc.
Outlaw Cryptocurrency (Score:1, Interesting)
NONE of this shit happened before BitCoin and other Cryptocurrencies created to facilitate stuff like Silk Road transactions.
Itâ(TM)s high time (pun intended) for the outright outlawing of Cryptocurrencies.
Eliminate the ability to hide the money trail and let Interpol handle the rest. Ransomware will be a bad memory within months.
Re: (Score:2)
It is not trivial to protect yourself. Just have an isolated ver
Re: (Score:3)
No. Bitcoin serves a purpose.
You cleverly omitted the two real purposes: anonymity and gambling on its price.
Re: Outlaw Cryptocurrency (Score:4, Interesting)
No. Bitcoin serves a purpose. Tracking everyone you conduct transactions with is both insecure and leads to authoritarianism.
Bullshit.
Authoritarianism will never live or die on the backs of Cryptocurrency.
Sorry, the known bad far outweighs the possible good for this abomination.
And being the employee of a small Mom and Pop company that was recently extorted by the RYUK group, even having daily backups like we did was of little help, and the measures you suggest are far outside the capabilities of a small company with no dedicated IT staff.
Re: Outlaw Cryptocurrency (Score:4)
On what grounds do you base that claim? I won't narrow this to cryptocurrency in particular, but some method of having anonymous transactions (e.g. cash) is extremely important to resisting oppressive governments. China, for instance, is able to trace almost every transaction made in its borders using their pervasive e-pay systems. Do you think the protesters in Hong Kong would be able to effectively resist the Chinese government's actions if the Chinese government could track all their payments? How do you propose they secure funding for things like buying enough food and water to survive in that situation? If the Chinese government can track their transactions, they can figure out who they are and what they're doing. They can get them fired from their job and make sure they can't get payments from outsiders who may support their cause.
Re: Outlaw Cryptocurrency (Score:2)
On what grounds do you base that claim? I won't narrow this to cryptocurrency in particular, but some method of having anonymous transactions (e.g. cash) is extremely important to resisting oppressive governments.
I absolutely agree with you, and if a government outlaws CASH transactions, then Iâ(TM)ll be the first to Sound the warning!
But this PARTICULAR form of anonymous transaction seems to be overwhelmingly used for Ransomware transactions, and quite frankly, is tantamount to a National Security threat, no fooling!
So, as long as cash is available in one form or another, and because direct barter cannot be outlawed in any meaningful way, the âoebecause totalitarianismâ argument for Cryptocurrency go
Re: (Score:3)
I would not be surprised if in the coming years China restricts its official currency in certain types of transactions. The pervasiveness of their e-pay solution would make this entirely feasible in the mainland.
Re: (Score:2)
The thing is, both forms of currency can be outlawed e.g. by the Chinese government, but it's a lot more difficult to stop the use of an electronic currency.
Bullshit.
Anytime your "Currency" is based on an electronic transaction, it becomes trivial to stop.
What is impossible to stop is two people exchanging something in person. Cash or Barter (essentially the same thing, but especially Barter) requires no technological trappings whatsoever, and even if a country outlaws the use of its own Currency, it cannot exist in the world market without allowing other country's currency to circulate and be exchanged. And once there is cash or barter in one link of the chain
Re: (Score:2)
On what grounds do you base that claim? I won't narrow this to cryptocurrency in particular
Isn't that kind of saying you will move the goalposts while the GP is taking his kick? But anyway your argument itself isn't on much better ground.
Do you think the protesters in Hong Kong would be able to effectively resist the Chinese government's actions if the Chinese government could track all their payments?
You know what we haven't seen the Hong Kong protesters do? Take up cryptocurrency in any primary transaction form. That one example effectively kills your entire argument against the GP's assertion that cryptocurrency won't make or break authoritarianism. Any why would it? Authoritarianism existed before cryptocurrency, it continues to exist now, and while it exi
Re: (Score:2)
Re: (Score:2)
Why were the daily backups little help? That's usually the golden ticket out of ransom jail... most people who get bit that I hear about are the ones who didn't have that. What else were they doing to you?
Because a Server reassignment about 6 months ago meant that some critical data that was being dilgently backed-up daily suddenly stopped being backed-up.
Yes, our bad, call us idiots; but as I said, something that is all-too-easy to have happen in a small company with no dedicated IT.
But fortunately, a whole lot of our data was still being diligently backed-up. So we are still going to be able to avoid paying the criminals.
However, even though the Data was backed-up, the possibility of Restoring still-infect
Re: (Score:2)
Re:Outlaw Cryptocurrency (Score:4, Insightful)
Using Anarchy to Combat Authoritarianism doesn't solve anything. These are ideals not electrical charges. They won't just cancel themselves out.
While we should always be improving system security. We also need to be sure that criminals who abuse the system, are found and punished justly.
System security is game that you need to keep on playing. Just after you isolate your versioned backups, and have two-factor authentication. There will be a hole perhaps in your backups that will allow those to seem to be corrupted, and some back door that wasn't blocked with two factor authentication. You always need to assume you are vulnerable, past success doesn't guarantee future results.
Re: Outlaw Cryptocurrency (Score:2)
Using Anarchy to Combat Authoritarianism doesn't solve anything. These are ideals not electrical charges. They won't just cancel themselves out.
Well said, sir!
Re:Outlaw Cryptocurrency (Score:4, Insightful)
Tracking everyone you conduct transactions with is both insecure and leads to authoritarianism.
Ironically enough, that's exactly what BitCoin's public ledger does. It just moves the identification problem from being in the record to needing external mapping, but that's what authoritarian regimes do best.
These asshats didn't protect their network...
This is not a company problem. This is an industry problem. For decades, "IT guys" have sold security solutions as something to be bolted on to an existing system.
Just have an isolated versioning backup system that is disconnected from the administrative network of your core IT, and do that AFTER you have patched your network, enabled two-factor, changed defaults, removed local admin privileges from normal users, and subscribed to a professional SPAM service.
...and none of that will have any significant impact on a corporate threat model, but it'll cost a lot and make your CTO look like they've been really busy. Buying that much consultant time will make your company look exciting, too, but it won't protect your data.
Security is a process of ongoing improvement. It requires having an IT team that works with the rest of the business and learns what the business needs to get the job done. IT should then make changes in the order of least impact to the business. If users need to use USB drives to move data, order company-provided encrypted ones. If users need administrator access to their computers, start rolling out access restrictions so their elevated access is limited to their own machine.
As more small changes happen, more user problems will surface. That's when products are purchased - not to restrict the business, but to enable using capabilities securely. Above all else, remember it is almost never the user's fault if something goes wrong. If some piece of information technology doesn't work, it's the IT department's problem. Usually, it's because the IT guys didn't understand the business needs, or didn't provide adequate training or intuitive systems. Users will always do what's easiest to meet their goals. It's your job to make sure the easiest path is the right one.
Re: (Score:3)
No. Bitcoin serves a purpose.
Mainly, enabling various fancy new kinds of crime. Ransomware is bringing down not just a few asshats who don't protect their networks, but entire governments and hospital systems. All it takes is a single employee clicking on an email link that looks legitimate.
I predict a return of one traditional form of crime, kidnapping individuals for ransom. This has become obsolete in modern countries because in a surveillance society it is impossible to arrange a secure money drop. Crypto makes anonymous money drop
Re: (Score:2)
You probably attack cryptocurrency at the exchange level where its turned into real currency.
I'm sure there's somebody who claims they can do all their financial transactions in bitcoin, but really it needs to be converted into real currency to be truly useful as money.
Obviously there will always be "black market" exchangers, but this will raise the price of converting it to real money and still alter behavior.
Re:Outlaw Cryptocurrency (Score:5, Interesting)
NONE of this shit happened before BitCoin and other Cryptocurrencies created to facilitate stuff like Silk Road transactions.
Itâ(TM)s high time (pun intended) for the outright outlawing of Cryptocurrencies.
Eliminate the ability to hide the money trail and let Interpol handle the rest. Ransomware will be a bad memory within months.
I've long thought that governments would eventually ban cryptocurrencies, and that their stated reason would be something along the lines of "Criminals and Terrorists use it". The irony is that I thought this would be a bullshit excuse, and that they'd ban in reality because they didn't want the competition with their central banks and treasuries. I never thought that the criminals would come along and actually prove governments right. But that's where we are. Pretty soon, there will be popular support for banning crypto.
If/When Bitcoin dies, we can thank a bunch of Russian/Ukrainian E-crooks. Once again, a good computer idea... email, FTP, newsgroups, crypto... is ruined because a bunch of scumbags took advantage of the rest of us.
Re: (Score:2)
NONE of this shit happened before BitCoin and other Cryptocurrencies created to facilitate stuff like Silk Road transactions.
Itâ(TM)s high time (pun intended) for the outright outlawing of Cryptocurrencies.
Eliminate the ability to hide the money trail and let Interpol handle the rest. Ransomware will be a bad memory within months.
I agree with this. While some talk up other features and advantages of crypto, the real attraction is anonymity.
I'm with you: Dry up the untraceable payment system. Malicious attacks would continue, but having no value to the hackers would be a deterrent.
Re: (Score:1)
Re:Outlaw Cryptocurrency (Score:5, Funny)
Let's attack the problem at the source and outlaw money.
Re: (Score:2)
Re: (Score:3)
And what happens when Interpol and agencies like it become tools of an authoritarian regime? Having the ability to hide the source of a transaction is as important to criminals as it is to, for instance, citizens engaged in resistance against a tyrannical authoritarian regime. And while it's unfortunate that criminals benefit, it's far more important that people have access to tools to fight oppressive governments.
Criminal or
Re: Outlaw Cryptocurrency (Score:1)
Criminal organizations are certainly very dangerous, but their reach tends to be limited and the law usually allows people to fight back.
Really?
Reach tends to be limited? True, they so far canâ(TM)t reach businesses on other planets, or without internet access. Other than that, though...
Law usually allows people to fight back?â(TM) Please explain how those laws can be applied in a practical sense, when the criminals are half a planet-away in a country with no extradition treaty with the U.S.?
You make a lot of sense (sarcasm).
Re: Outlaw Cryptocurrency (Score:4)
When I talk about fighting back against criminals, I mean that both people and governments usually have a vested interest in fighting them. This means governments and citizens can work together to try and bring down criminals. When the law enforcement apparatus is itself corrupt, however, the people being wronged are deprived of the means to fight back. Try to fight a tyrannical government and you become the criminal, basically by definition. That's what I'm trying to get at.
Re: (Score:3)
Actually, shit like this did happen before cryptocurrencies, and continues to happen.
Example: An elderly couple falls for a telephone scam and is tricked into wiring money into some scammer's bank account. The scammer transfers the funds into some "offshore" bank. Speak to law enforcement or the victim's bank and there is no talk of recovering the money. They all act as though funds transferred to a foreign bank are irretrievably lost. There is no technical reason for this. Funds are transferred electronica
Re: Outlaw Cryptocurrency (Score:1)
Actually, shit like this did happen before cryptocurrencies, and continues to happen.
Example: An elderly couple falls for a telephone scam and is tricked into wiring money into some scammer's bank account.
Ransomware didnâ(TM)t exist before Cryptocurrency.
Prove me wrong; I dare you.
Re: (Score:3)
Re: (Score:1)
5 seconds of Googling would have shown you that ransomware goes back as far as 1989 [wikipedia.org].
Ok, but those were pretty lame attempts. And quite few and far-between.
As your own source states:
Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users.[35]
So, maybe the idea was there; but the trul
Re: (Score:2)
Comments like yours are sad. The majority of crime around the world happen over the Euro, the Chinese RMB, and the US Dollar. The rest happens using Gold, Diamonds, and Oil. Only a very tiny fraction of crime committed happens using Crypto.
Also, be glad that those guys at least didn't wipe Travelex's network and just sold the database, they could have! And Travelex certainly deserves it. They deserve to die regardless, for being criminally incompetent. Travelex should pay up and shut up, and then they shoul
So even if they restore from backup (Score:2)
So even if they restore from backup, they are still on the hook if they don't want the database leaked. Even so, there is no guarantee the hackers will honor their statement and delete their copy.
Re: (Score:1)
There isn't even a guarantee these hackers will be any more capable of protecting their copy from theft by other hackers.
Comment removed (Score:4)
Re: (Score:2)
"we paid crooks to give us your data back" is corporate suicide.
Oh, but the victim won't pay the crooks. Companies who don't want to have a PR disaster publicly say "we won't pay", then go hire a ransomware recovery firm for 11% of the ransom, and that firm turns around and pays the ransom. The company keeps their hands clean, and just says "our partnership was successfully able to restore operations".
Of course, the crooks still got paid, so they properly delete their extortion database, and everybody comes out looking good. If they were to release the database anyway,
Re: (Score:3)
hire a ransomware recovery firm for 11% of the ransom
Tough business model those recovery firms have.
Re: (Score:3)
Hah! Foiled by my poor typing skills and lack of proofreading... That should have been 115%, of course...
Re: (Score:2)
I'm sure he meant to write 110%, but I agree - unless they are really good hagglers!
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Travelex are not the victims. They will carry on regardless collecting information they should never have retained and "bravely" not pay a dime. Their customers are the victims (even before the this heist) and they will get no redress.
So, how is that an argument for continuing to allow Ransomware to flourish?
Re: (Score:2)
then go hire a ransomware recovery firm for 11% of the ransom
Invest 10% of the ransom whether payed or not into a no questions asked bounty.
Re: (Score:2)
Re: (Score:2)
I always liked the movie ransom... it would be messed up if every company taken by ransomware decided to place the ransom amount as a bounty instead.
Re: where are the cops? (Score:2)
How can they, so long as Cryptocurrency allows Anonymity.
If we outlaw Cryptocurrency, then the default will be what it was before: Transactions > $10k are automatically reported by banks.
This still allows you to buy an pretty big bag of Pot, while starving any large scale ransom payments.
And what happens when a REAL kidnapping requires Cryptocurrency for a REAL Ransom payment. (If that hasnâ(TM)t already happened, it certainly will!)
Then it becomes not such an academic, or worse, victim-blaming issu
Re: (Score:1)
Authorities don't give a fuck about "nerd problems."
(I know it is getting old, but these guys should have hired me, instead.)
A new use for bitcoin (Score:2)
No, not taking down companies as such. It would be nice if all contributions to political parties and pols could be with a public ledger. I won't cure the greedy, they'll find a way. But it might help staunch the flood a bit.
Re: (Score:2)
OpenSecrets (https://www.opensecrets.org) should have donations to parties and pols, type a name into the search box. What it won't have is Super PAC money (thanks SCOTUS!), corporation are allowed to give unlimited money to groups that aren't candidates in order to influence the election.
Just more M$ tax (Score:2)
This is just more M$ tax. If you run Windows, it's Russian roulette if you get held to ransom. Best advice, rock with something that has mandatory access controls, like SELinux or TrustedBSD.
Re: (Score:2)
According to M$, Linux is installed on >50% of their Azure VMs. I don't think that 2% is quite accurate any longer. If it's just desktops that are wiped, who cares? Use chrome. It's the servers that hold the business data.
Re: (Score:2)
This is just more M$ tax. If you run Windows, it's Russian roulette if you get held to ransom. Best advice, rock with something that has mandatory access controls, like SELinux or TrustedBSD.
While Windows-based Ransomware is obviously more popular, due mostly to the marketshare of Windows in the corporate world relative to Linux, do you really have the temerity to suggest that no Linux-based networks have ever fallen-prey to Ransomware?
A short tour of known Linux-targeting Ransomware:
https://securityintelligence.c... [securityintelligence.com]
https://threatpost.com/linux-r... [threatpost.com]
https://www.linuxinsider.com/s... [linuxinsider.com]
https://www.carbonite.com/blog... [carbonite.com]
https://www.trendmicro.com/vin... [trendmicro.com]
https://invenioit.com/security... [invenioit.com]
https://www.info [infoworld.com]
Re: (Score:2)
In fact, Linux Ransomware goes back to 2015:
https://en.wikipedia.org/wiki/... [wikipedia.org]
I didn't say it didn't exist. But according to your link (one that I'd read long ago), in the first paragraph:
Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.
The propagation was through a flaw in Adobe's shopping cart. I'll take my chances staking my job with Linux based systems.
Time warp (Score:1)
Re: (Score:2)