photo by Tejvan Pettinger
At first blush, a New Year’s ransomware attack against the Travelex foreign exchange company seemed depressingly routine. But there was an alarming wrinkle: The attackers weaponized Europe’s General Data Protection Regulation to further victimize their target.
Although based in London, Travelex is familiar to Americans and other worldwide travelers thanks to the red-and-blue signs marking its currency exchange counters at many airports and other travel hubs. By its own report, Travelex is the world’s largest foreign exchange bureau. More significantly at the moment, it offers global remittance and prepaid credit card businesses, which require Travelex to gather identifying and other personal information about its customers. Failure to do so would violate laws against money laundering. This data includes dates of birth, Social Security or national insurance numbers, and bank account information.
The company hastily shut down most of its computer systems on New Year’s Eve. After initially claiming this was for maintenance, Travelex admitted last week that it was the target of a ransomware attack by a gang using a program known as Sodinokibi, or REvil.
REvil and its predecessor, GandCrab, are something of a legend in the world of online security. Analysts have reason to believe that some of the hackers who worked on GandCrab worked on REvil as well, in part due to the similarities in the programs. The hackers creating these ransomware strains write elegant and effective code, according to the researchers who study them. Like other top-notch professionals, they expect to be well compensated for their skills. So they target “big game” in the form of government agencies, hospitals, data centers and sizable companies that can be made to pay up if hackers apply enough pressure. Press reports indicate that the attackers’ initial demand to Travelex was $3 million, later doubled to $6 million.
The usual course of a ransomware attack is to abruptly encrypt an organization’s data, rendering it inaccessible unless the target has clean backups. The ransomware will usually include a delayed-action feature, so that it can infect not only the live data, but backups from weeks or months prior. This makes potential restoration less thorough and more difficult. The target, or someone working on the target’s behalf, must analyze and test each set of backup data to ensure it does not carry its own copy of the ransomware.
In the meantime, the organization’s computers are inoperable. Hospitals and medical practices may have to turn away patients; government agencies cannot perform their normal functions without resorting to pen and paper – if at all.
To further pressure targets into paying, hackers often threaten to permanently delete the locked data if payment is not forthcoming. This is the proverbial pistol pointed at the hostage’s temple. Like more traditional forms of hostage-taking, ransomware attacks are apt to continue as long as targets keep paying, at least some of the time.
Most of this script played out as usual for Travelex. But because Travelex is based in the United Kingdom, the Sodinokibi bandits have another weapon at their disposal: Europe’s data protection law. Impending Brexit plans do not affect Travelex’s relationship to the GDPR, and likely wouldn’t in any case, given Travelex’s status as a multinational company. So instead of threatening to delete the hostage data if Travelex doesn’t pay, the hackers are threatening to make it public.
Travelex is subject to fines of up to 4% of annual revenue (which the British quaintly call “turnover”) for failing to protect customer data. This may include failing to report a breach to the Information Commissioner’s Office within 72 hours, as well as the breach itself. We might expect regulators to go easy on the company, since it is a victim and did not, for example, misuse customer information for its own gain. But given regulators’ propensity for fining financial companies for mere mistakes, this is not necessarily the way things will play out. Especially because, in this case, it appears Travelex was vulnerable to the attack because it failed to implement a security patch that had been available for months. That patch would have closed a hole in Travelex’s internal network that criminal gangs and government-sponsored hackers had exploited previously. The Shodan security search engine, as reported by Ars Technica, recently warned that more than 1,000 servers running the same vulnerable network software remain unpatched. This failure may give regulators a foothold for arguing Travelex is at least partially to blame.
Like other parasites, ransomware attackers seek to bleed their hosts without killing them. Sometimes the host does not play along: A medical practice in Battle Creek, Michigan, reportedly shut down last March rather than pay a reported ransom demand of a mere $6,500. It is easy to picture the attackers shaking their heads in disbelief. Small businesses are capable of such financially irrational behavior, because their owners are individuals answerable mainly to themselves. Bigger companies have shareholders, lenders and regulators to hold them to account – not to mention customers and employees. According to data from anti-malware and anti-virus company Emsisoft, the average ransomware attack costs about $8 million. Some targets will pay, and some will deal with the costs and inconveniences associated with not paying. Targets subject to the GDPR may be more inclined to pay than to risk penalties if regulators decide they did not do enough to protect customer data.
Until governments start sending business owners and bureaucrats to jail for feeding this growing scourge by paying ransomware demands, it is not likely to stop. Already the ransomware industry generates an estimated profit of billions of dollars per year. It even has its private (gang) and public (state-operated) sectors.
If the law isn’t going to stop the flow of money to the digital hostage takers, it ought to at least try to avoid giving them another weapon to use against victims. Right now, the only law that is operating as expected is the law of unintended consequences.