Currency exchange giant Travelex has effectively been taken offline by a ransomware attack. 

The attack was first detected the night of December 31. Soon after, the company took its systems offline. A week later, Travelex is processing transactions with pen and paper at its 1,200 branches located in more than 70 countries. 

“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated,” the company said in a public statement.

The hackers claim to have six months’ worth of sensitive customer data containing birthdates, credit card information, and insurance numbers. They have threatened to sell the information if their $6 million ransom isn’t delivered.

 “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base,” the hackers were quoted as saying to BBC news

The ransomware detected on the Travelex servers has been identified as Sodinokibi (also known as REvil), a “ransomware as a service” form of malware that is developed and maintained by the Sodinokibi hacking group and deployed by over 40 affiliates. This strain of ransomware was used in many of 2019’s most newsworthy ransomware campaigns, including concurrent attacks on 22 Texas municipalities.

Researchers believe the hackers took advantage of an unpatched critical vulnerability on the company’s VPN servers. Travelex had neglected to address these vulnerabilities for eight months after they were brought to the company’s attention.