The first big hack of the decade actually began on New Year’s Eve, a prime time for hackers to operate as IT workers are distracted by New Year’s shenanigans. Travelex were the company hit by the attack, a foreign exchange network who had to take down websites in over 30 countries, including those serving national brands in the UK such as Sainsbury’s Bank and Virgin Money. The ransomware used in the attack is known as REvil or Sodinokibi. The group claiming to be behind the attack were requesting a payment in excess of £4.6million.
To further exacerbate matters, the hacking group claim to have accessed Travelex’s systems 6 months prior and to have extracted personal details of thousands of customers, including credit card information. They were using this to blackmail Travelex, saying that if they delayed paying the ransom it would double to over £9.2million and then 7 days after that they would begin to sell the customer details on the dark web should they still refuse.
So how did Travelex cope with the situation? Not perfectly, although they did a couple of things right. First of all, they had insurance, which should cover any immediate costs and loss of business. Secondly, although taking down their sites and online capabilities is a nuisance, it’s best to isolate the issue and not let it spread on live systems.
Now onto what they haven’t done so well. The first is how the attack was communicated to their customers. This was not done in a timely matter, leaving many customers in the dark with no explanation of what was wrong. The message that was eventually displayed on their site was that they were down for “scheduled maintenance” which seems misleading, although may have been an innocent mistake, leaving standard text in when the site was taken offline.
The main issue, however, is the length of time it is taking for them to recover. As of writing this, Travelex’s site is still down after 24 days and the in-store systems were down for nearly 3 weeks before they returned to being operational. This shouldn’t be an acceptable recovery time for a company this size.
So why has it taken so long? The hackers claimed that they deleted backup files so it would be harder for Travelex to recover, but surely Travelex would have had another backup off-site, out of reach of hackers? Perhaps the investigation into the source is taking so long that they can’t find where it was initially placed in their systems? I believe that it could be a mixture of not having readily available backups, a prolonged investigation and also another factor; inadequate disaster recovery testing.
Of course Travelex are working across many disparate systems, so it can be tough to test they are all working in harmony, but this would have been massively sped up had they tested their disaster recovery at least once every year. If they did indeed test the plan every year and it still takes this long… Travelex needed a new plan.
What would we have done differently?
Without all of the facts of Travelex’s systems it is hard to say what we would do differently to them, but there are a few things that we don’t think Travelex were doing which has slowed them down.
For starters, the ransomware may have been avoidable in the first place. Here at Vitanium we use and advocate the use of Panda, which we like to call the next generation of antivirus. Unlike old antivirus software, Panda doesn’t just rely on a list of known viruses and code snippets to look out for. Panda doesn’t let programs start unless they are whitelisted or it already knows that they are safe. This may have stopped the ransomware activating in the first place. Should the ransomware have still activated somehow, perhaps by gaining administrator logins, this would have been easily traced back and you can see all files that were affected by the virus, meaning it would have been easy to find the root cause.
Coupling this with Veeam, they could have set a long retention period and regular incremental backups. The ransomware could then be easily contained from the backups, even if it was 6 months ago when the hackers claimed to have gained access.
It goes without saying that on top of this we also would have tested our disaster recovery plan regularly to ensure everything is working as it should and that in the event of a disaster we could be back up and running at full capacity within a reasonable timeframe set within our RTO and RPOs.
For more information on Vitanium products get in touch today.