Travelex Paid Ransomware Gang $2.3 Million for Keys to Unlock Encrypted Files

The Sodinokibi ransomware attack on Travelex that started on New Year’s Eve and caused weeks of disruption was resolved by paying the ransom demand.

The attack saw Travelex’s online currency exchange service taken offline preventing banks such as Lloyds and Barclays from offering currency exchange services. Travelex was also forced to shut down operations at its 1,500 locations around the world. Some of its systems remained offline for several weeks while the firm recovered from the attack. It took until the end of January for its online services to be brought back online.

The ransomware operators responsible for the attack are a prolific threat group known as REvil. They issued a ransom demand of $3 million for the keys to unlock the encryption. Data was also stolen in the attack, which the REvil gang threatened to publicly disclose if the ransom payment was not made. The gang publicly stated that over 5GB of sensitive data had been stolen from the firm prior to the deployment of their ransomware payload.

Travelex has previously stated that the firm sought the advice from any experts, although payment of the ransom was not officially confirmed; however, according to a recent report in the Wall Street Journal, a source with knowledge of the attack claimed Travelex paid a ransom of 285 Bitcoin, which is around $2.3 million.

Payment of a ransom to recover data is not recommended by the Federal Bureau of Investigation (FBI) or the UK National Crime Agency. Any money paid to attackers will fund further attacks. Payment of the ransom also sends a message to other criminal groups that a company is likely to pay up if attacked. After paying a ransom demand, a company could face a barrage of further attacks from a more diverse range of threat groups. There is also no guarantee that the attackers will supply valid keys that will allow data to be decrypted if the ransom is paid. However, for many businesses that have been attacked and do not have the option of recovering data from backups, they have little choice other than to pay the ransom.

For Travelex, and its parent company Finablr, the outlook for the coming months look particularly grim. The ransomware attack will have cost the company far in excess of the cost of the ransom payment and on top of that, the 2019 Novel Coronavirus pandemic has all but shut down foreign travel. Travelex’s credit rating has been drastically cut which makes making borrowing harder and more expensive. Finablr has said it is preparing for the possible collapse of Travelex.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of