Travelex staff go back to basics as ransomware cripples systems

By Noor Zainab Hussain and Kirstin Ridley

LONDON (Reuters) – Staff at foreign exchange firm Travelex are using pen and paper to serve thousands of customers after the company said cyber hackers were holding its systems to ransom, leading to a global blackout on its online currency exchange services.

The currency trader, which also provides forex services for customers of HSBC, Barclays , Virgin Money  and the banking arms of British retailers Tesco and Sainsbury, said on Tuesday a software virus identified on Jan. 2 was a ransomware attack.

The spread of the ransomware, which Travelex said it had successfully contained, forced the company to take all its systems offline, causing chaos for New Year holidaymakers and business travellers seeking online currency services.

The company, which has a presence in more than 70 countries, is currently only able to serve customers face-to-face at its 1,200 on-airport and off-airport locations worldwide.

A criminal investigation led by London’s Metropolitan Police is now also underway.

The Financial Conduct Authority, Britain’s markets regulator, said it was also in contact with the firm to ensure affected customers were being treated fairly. The National Cyber Security Centre said it was providing technical support.

Scores of people turned to Twitter to vent their frustration at being left without cash they had ordered for their travels.

Travelex’s parent company Finablr Plc said the hackers used a type of ransomware called Sodinokibi — also commonly referred to as REvil — in an attempt to encrypt customer data.

Travelex said there was no evidence yet that any data had been stolen..

Finablr processes more than 150 million transactions per year — all of which rely on the efficient and uninterrupted operation of computer and communication systems. According to its listing prospectus, published last year, the company has computer-crime insurance to cover cyber risks.

But the incident sent the company’s shares slumping almost 20% to a record low on Wednesday, a drop exacerbated by two major investors selling shares worth about $72 million in the payments firm.

A Virgin Money spokesman said customers were unable to place orders via the Virgin Money Travel Money website or any Travelex website or the contact centre but that customers could process orders at a Travelex Bureau directly.

Sainsbury’s Chief Executive Mike Coupe described the incident as “disruptive” but said customers could still buy currency over-the-counter, while a spokesman for Tesco said its 360 in-store Travel Money outlets were operating as normal.

A spokeswoman for HSBC said its UK bank branches held some euro and dollar stock for immediate purchase but it was unable to take travel money orders. Barclays apologised to its affected customers and said it would restore service “as soon as it was able to do so”.

Travelex, which had computer specialists and external cybersecurity experts work on isolating the virus, is gradually restoring a number of internal systems and is working to resume normal operations as quickly as possible.

Global companies are increasingly facing ransom-demanding hackers who cripple businesses’ technology systems and only stop after receiving substantial payments.

These hackers use malicious programmes such as ransomware to take down systems controlling everything from supply chains to payments to manufacturing.

Neither Finablr nor Travelex provided any detail on the costs of handling the incident so far but Finablr said it did not currently expect to suffer any material financial impact from the incident.

Another European company aluminium maker Norsk Hydro <NHY.OL> faced costs of between 300 million and 350 million Norwegian crowns ($39.52 million) in its first quarter last year following a similar cyber attack in March.

“The ongoing attack against Travelex is arguably the worst case scenario for how crippling ransomware can be,” Stuart Reed, vice president for cybersecurity at British web services firm Nominet said.

“If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise.”

Hackers have grown more sophisticated during the past year, cybersecurity experts say, shifting from individuals to larger companies that can afford bigger ransoms.

In August, hundreds of dental offices around the United States found they could no longer access their patient records because of a Sodinokibi attack, according to Malwarebytes, which sells cybersecurity software.

Finablr’s other six brands – UAE Exchange, Xpress Money, Unimoni, Remit2India, Ditto and Swych — are not affected and are operating normally, it said.

($1 = 8.8580 Norwegian crowns)

(Additional reporting by Carolyn Cohn and Lawrence White; writing by Sinead Cruise, Editing by Shailesh Kuber/Louise Heavens/Jane Merriman)

With paper and phones, Atlanta struggles to recover from cyber attack

By Laila Kearney

ATLANTA (Reuters) – Atlanta’s top officials holed up in their offices on Saturday as they worked to restore critical systems knocked out by a nine-day-old cyber attack that plunged the Southeastern U.S. metropolis into technological chaos and forced some city workers to revert to paper.

On an Easter and Passover holiday weekend, city officials labored in preparation for the workweek to come.

Police and other public servants have spent the past week trying to piece together their digital work lives, recreating audit spreadsheets and conducting business on mobile phones in response to one of the most devastating “ransomware” virus attacks to hit an American city.

Three city council staffers have been sharing a single clunky personal laptop brought in after cyber extortionists attacked Atlanta’s computer network with a virus that scrambled data and still prevents access to critical systems.

“It’s extraordinarily frustrating,” said Councilman Howard Shook, whose office lost 16 years of digital records.

One compromised city computer seen by Reuters showed multiple corrupted documents with “weapologize” and “imsorry” added to file names.

Ransomware attacks have surged in recent years as cyber extortionists moved from attacking individual computers to large organizations, including businesses, healthcare organizations and government agencies. Previous high-profile attacks have shut down factories, prompted hospitals to turn away patients and forced local emergency dispatch systems to move to manual operations.

Ransomware typically corrupts data and does not steal it. The city of Atlanta has said it does not believe private residents’ information is in the hands of hackers, but they do not know for sure.

City officials have declined to discuss the extent of damage beyond disclosed outages that have shut down some services at municipal offices, including courts and the water department.

Nearly 6 million people live in the Atlanta metropolitan area. The Georgia city itself is home to more than 450,000 people, according to the latest data from the U.S. Census Bureau.

City officials told Reuters that police files and financial documents were rendered inaccessible by unknown hackers who demanded $51,000 worth of bitcoin to provide digital keys to unlock scrambled files.

“Everything on my hard drive is gone,” City Auditor Amanda Noble said in her office housed in Atlanta City Hall’s ornate tower.

City officials have not disclosed the extent to which servers for backing up information on PCs were corrupted or what kind of information they think is unrecoverable without paying the ransom.

Noble discovered the disarray on March 22 when she turned on her computer to discover that files could not be opened after being encrypted by a powerful computer virus known as SamSam that renamed them with gibberish.

“I said, ‘This is wrong,'” she recalled.

City officials then quickly entered her office and told her to shut down the computer before warning the rest of the building.

Noble is working on a personal laptop and using her smartphone to search for details of current projects mentioned in emails stored on that device.

Not all computers were compromised. Ten of 18 machines in the auditing office were not affected, Noble said.

OLD-SCHOOL ANALOG

Atlanta police returned to taking written case notes and have lost access to some investigative databases, department spokesman Carlos Campos told Reuters. He declined to discuss the contents of the affected files.

“Our data management teams are working diligently to restore normal operations and functionalities to these systems and hope to be back online in the very near future,” he said. By the weekend, he added, officers were returning to digital police reports.

Meanwhile, some city employees complained they have been left in the dark, unsure when it is safe to turn on their computers.

“We don’t know anything,” said one frustrated employee as she left for a lunch break on Friday.

FEEBLE

Like City Hall, whose 1930 neo-Gothic structure is attached to a massive modern wing, the city’s computer system is a combination of old and new.

“One of the reasons why municipalities are vulnerable is we just have so many different systems,” Noble said.

The city published results from a recent cyber-security audit in January, and had started implementing its recommendations before the ransomware virus hit. The audit called for better record-keeping and hiring more technology workers.

Councilman Shook said he is worried about how much the recovery will cost the city, but that he supports funding a cyber-security overhaul to counter future attacks.

For now his staff are temporarily sharing one aging laptop.

“Things are very slow,” he said. “It was a very surreal experience to be shut down like that.”

Mayor Keisha Lance Bottoms, who took office in January, has declined to say if the city paid the ransom ahead of a March 28 deadline mentioned in an extortion note whose image was released by a local television station.

Shook, who chairs the city council’s finance subcommittee, said he did not know whether the city is negotiating with the hackers, but that it appears no ransom has been paid to date.

The Federal Bureau of Investigation, which is helping Atlanta respond, typically discourages ransomware victims from paying up.

FBI officials could not immediately be reached for comment. A Department of Homeland Security spokesman confirmed the agency is helping Atlanta respond to the attack, but declined to comment further.

Hackers typically walk away when ransoms are not paid, said Mark Weatherford, a former senior DHS cyber official.

Weatherford, who previously served as California’s chief information security officer, said the situation might have been resolved with little pain if the city had quickly made that payment.

“The longer it goes, the worse it gets,” he said. “This could turn out to be really bad if they never get their data back.”

(Reporting by Laila Kearney; additional reporting by Jim Finkle; editing by Daniel Bases and Jonathan Oatis)

U.N.’s North Korea sanctions monitors hit by ‘sustained’ cyber attack

A man types on a computer keyboard in front of the displayed cyber code in this illustration picture

By Michelle Nichols

UNITED NATIONS (Reuters) – United Nations experts investigating violations of sanctions on North Korea have suffered a “sustained” cyber attack by unknown hackers with “very detailed insight” into their work, according to an email warning seen by Reuters on Monday.

The hackers eventually breached the computer of one of the experts on May 8, the chair of the panel of experts wrote in an email to U.N. officials and the U.N. Security Council’s North Korea sanctions committee, known as the 1718 committee.

“The zip file was sent with a highly personalized message which shows the hackers have very detailed insight into the panel’s current investigations structure and working methods,” read the email, which was sent on May 8.

“As a number of 1718 committee members were targeted in a similar fashion in 2016, I am writing to you all to alert you to this heightened risk,” the chair of the panel of experts wrote, describing the attack as part of a “sustained cyber campaign.”

A spokesman for the Italian mission to the United Nations, which chairs the 1718 sanctions committee, said on Friday that a member of the panel of experts had been hacked.

No further details who might be responsible were immediately available.

North Korea’s deputy United Nations envoy said on Friday “it is ridiculous” to link Pyongyang with the hacking of the U.N. panel of experts or the WannaCry “ransomware” cyber attack that started to sweep around the globe more than a week ago.

Cyber security researchers have found technical evidence they said could link North Korea with the WannaCry attack.

Reuters reported on Sunday that North Korea’s main spy agency has a special cell called Unit 180 that is likely to have launched some of its most daring and successful cyber attacks, according to defectors, officials and internet security experts.

The U.N. Security Council first imposed sanctions on North Korea in 2006 and has strengthened the measures in response to the country’s five nuclear bomb tests and two long-range rocket launches. Pyongyang is threatening a sixth nuclear test.

A second email by the U.N. sanctions committee secretary to the 15 Security Council members on May 10 said the U.N. Office of Information and Communications Technology was “conducting an analysis of the affected hard drive.”

“Increased vigilance relating to 1718 Committee-related correspondence is therefore advised until data analysis and related investigations are completed,” the email read.

(Reporting by Michelle Nichols; Editing by Alistair Bell)