contact us

We are here for you!

Contact us.

We will get back to you as soon as possible.

Exeon Analytics AG

Grubenstrasse 12
CH-8045 Zürich
Phone: +41 44 500 77 21

The timeline of a ransomware attack

The foreign exchange service provider, Travelex, had a very unpleasant start into the New Year. They became one of the latest corporate ransomware victims. A cyber attack usually consists of multiple stages, each of which can take days to months. Let’s use Travelex to explain the timeline of a ransomware attack*

By David Gugelmann, January 2020

  1. Infiltration: As a first step, the attacker needs to get into the attacked company’s network. The two main company infiltration vectors are weaknesses in the IT infrastructure (unpatched vulnerabilities, too open security perimeters, etc.) and employees being the target of social engineering. In the case of Travelex, the attackers allegedly gained access over a known but unpatched VPN server vulnerability.
  2. Movement: The attackers move within the network from their point of entry to the critical data/infrastructure. Since the attackers initially do not know where to find the valuable data and systems, this stage can take days, several months or even years. The Hacker group Sodinokibi, which is behind the Travelex attack, claims to have been in the Travelex network for several months.
  3. Data exfiltration/encryption: Once the attackers manage to access critical data and infrastructure, a cyber attack can become really damaging. At this point in time, attackers will often start to steal data, as well as encrypt critical infrastructure. According to Sodinokibi, they exfiltrated over 5 GB of sensitive customer data, including names and credit card information while Travelex reports that no data has been breached.
  4. Detection: Cyber attacks are often detected way too late. The infamous cyber attack on the hotel chain Marriott has only been detected four years after infiltration! Travelex only detected the attack after receiving an USD 6 million ransom ask. If the ransom will not be paid, Sodinokibi threatens to publish the allegedly exfiltrated customer data.
  5. Investigation and resolution of the attack: Fixing the damages caused by a cyber attack and patching all vulnerabilities is not an easy task. Today, more than three weeks after the attack has been detected, Travelex’s website is still out-of-service.
  6. Damages and fines: The financial damages from business interruptions alone can be horrendous. In case of a ransomware attack, the ransom is often paid, making it a very lucrative business for attackers. On top of that, potential GDPR-fines for data breaches must be added. Such fines can amount to up to 4% of the company’s annual turnover. It will take a while until Travelex will be able to assess the overall financial damage from this cyber-attack. However, the ransom alone is USD 6 million, and the potential maximum GDPR-fee could also mount up to USD 35 million**.


How to avoid such costs? I’m convinced that nearly every network could be breached eventually. Consequently, it is of utmost importance that companies shorten the detection time of an attack (see stage two above). Our security analytics solution ExeonTrace does exactly that. Are you interested to know more? Please feel free to book a video conference directly over this link.


* Exeon was not directly involved in the investigation of the attack. The presented information is reconstructed from different public sources.
** Estimation based on Travelex’s annual revenue in 2018.



Find additional articles on the topic here: 

Travel cash services still out after Travelex hack

Travelex provides foreign-exchange services in 70 countries across more than 1,200 retail branches. After the attack, the Travalex websites went offline in at least 20 countries. Retailers must carry out tasks manually and customers remain stranded without travel money. Read full article 

What is Sodinokibi? The ransomware behind the Travelex attack

Sodinokibi, which is also known as “REvil” is a ransomware-as-a-service (RaaS) model, which has been discovered in 2019. They are usually exploiting known vulnerabilities and have been behind numerous high-profile attacks over the last year. Read full article 

Swiss hospitals are victims of ransomware attacks (in German)

The danger of Swiss hospitals being attacked by ransomware is larger than previously expected. Several hospitals have been targeted in October 2019 and the threat is not yet contained. (Article in German). Read full article 

Five ransomware attacks

Quick overview on five different attacks. The cheekiest? In my opinion Ryuk which attacked companies running on a tight deadline and cashed on the back of their time pressure. Read full article 

Black and white picture of CEO Dr. David Gugelmann