Latest Trending
Last Updated, Jan 12, 2022, 10:30 AM
Inside a Ransomware Hit at Nordic Choice Hotels


Nordic Choice Hotels, a chain with more than 200 hotels across Scandinavia and the Baltic countries, is still dealing with technology problems and the fallout from a data leak after a Dec. 1 ransomware attack.

Immediately after the incident, the company shut down corporate computers, check-in desks and machines such as music systems, and disconnected computers from the internet, said Kari Anna Fiskvik, Nordic Choice’s vice president of technology.

Kari Anna Fiskvik, vice president of technology at Nordic Choice Hotels



Photo:

MAIA HANSEN/A-I-AM

Hotel staff recorded check-in details with pens and paper, and escorted guests to their rooms because digital keycards didn’t work, Ms. Fiskvik said. Just as hackers struck, hotel business was booming again after long pandemic-related lockdowns.

“We were a good target because we were tired already,” she said.

More than five weeks after hackers hit, glitches continue in machines that provide heating, music and other services, she said.

Nordic Choice, an independent franchisor of Rockville, Md.-based

Choice Hotels International Inc.,

operates hotels in Norway, Sweden, Denmark, Finland and Lithuania. A spokesperson for Choice Hotels International said there is no indication the attack affected its technology systems.

An investigation found that hackers had infiltrated Nordic Choice’s systems 36 to 48 hours before launching the attack through a phishing email that appeared to be sent by a tour operator in frequent contact with the company, Ms. Fiskvik said.

Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Photo illustration: Laura Kammermann

A hotel employee thought the message was legitimate and clicked on a malicious link, she said. Hackers then took out most of the hotelier’s antivirus systems and copied data from local Windows files, she added.

Once inside the hotel’s network, the hackers deployed ransomware known as Conti—the same strain that has crippled a number of corporate victims in recent months, plus Ireland’s public healthcare system in 2020.

The Retail and Hospitality Information Sharing and Analysis Center, a nonprofit group that facilitates the exchange of information about cyber threats, had warned members in October about increased ransomware attacks. Retailers and hoteliers should take security precautions such as using multifactor authentication for web-based mail applications and other critical systems, RH-ISAC urged.

Hackers left a message on Nordic Choice computers about how to contact them to decrypt locked data, but didn’t name a ransom amount. The company didn’t plan to talk to the attackers or pay a ransom, Ms. Fiskvik said. Last week, however, she discovered that someone had replied to the hackers in late December, when tech systems were restored, despite warnings from her team not to, prompting the hackers to demand $5 million. Still the company didn’t pay.

Ms. Fiskvik doesn’t know who made contact but it could have been anyone with access to the ransom note, which was available on all hotel computers, she said, adding that she reported the communication to police.

Otto Johansson, service crew manager, tracks room status manually at the Quality Hotel Winn in Gothenburg, Sweden.



Photo:

DAN BERGSTEN/QUALITY HOTEL WINN

The morning after the attack, Nordic Choice operations and tech teams set up a crisis team and decided to fast-track an existing plan to switch from

Microsoft Corp.’s

Windows system to

Alphabet Inc.’s

Google Chrome products. Before the attack, Ms. Fiskvik’s team had planned to convert thousands of hotel computers and service machines from Windows to Chrome as part of a sustainability initiative. She moved up the migration as a way to help recover operations. Technicians didn’t need to visit hotels to collect and clean computers, she said.

The team converted the first computer within 24 hours of the attack, and restored operations at the first hotel within 48 hours, running bookings and check-ins on Chrome. The group migrated around 2,000 computers in 212 hotels within two days, saving weeks of work, she said.

Replacing or changing technology after a cyberattack can be tricky and may introduce new security problems, said Bryon Hundley, vice president of intelligence operations at RH-ISAC.

Rasmus Stridh Halvorsen, an employee at Hotel Xpress Central Station in Oslo, learns how to use Google’s Chrome products in the aftermath of a December ransomware attack.



Photo:

Majken Helén Evensen

The victim company is already in a vulnerable position, Mr. Hundley said, and experts need to test several security aspects, such as multifactor authentication and identity management on the new products. “There are so many complexities to rolling out these technologies, assuring they work and still maintaining a good customer experience,” he said.

As Nordic Choice worked to recover tech systems, hackers posted personal data about employees on the dark web, including details about their bank accounts and government-issued identification numbers. At the time, they claimed the published data was 10% of what they stole.

A few days later, they posted more information, saying it was 20% of the total.

The company held virtual meetings to inform employees about the dark-web posts and has been instructing managers about how to help affected individuals protect themselves from identity theft. “It was definitely very hard on our employees to know that data about them was out on the web, public to anyone with a link,” Ms. Fiskvik said.

Hackers didn’t access systems with customer information, she said.

Nordic Choice informed Norway’s data protection regulator of the data leaks and continues to monitor the dark web, she said. Companies are required to quickly notify regulators about a breach of personal data under Europe’s General Data Protection Regulation privacy law.

Ms. Fiskvik’s team is developing a short cybersecurity training program to teach employees about hacking threats in a way that is easy to digest, such as weekly lessons on how to recognize malicious links or understand other threats. “Most people just can’t keep up. It’s just not what they know. We’re hoteliers, we’re not tech experts,” she said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

24World Media does not take any responsibility of the information you see on this page. The content this page contains is from independent third-party content provider. If you have any concerns regarding the content, please free to write us here: contact@24worldmedia.com

Latest Post

Common Mistakes When Using Athletic Field Tarps

Last Updated,Jun 5, 2024

High-Performance Diesel Truck Upgrades You Should Consider

Last Updated,May 14, 2024

Warehouse Optimization Tips To Improve Performance

Last Updated,May 6, 2024

Fire Hazards in Daily Life: The Most Common Ignition Sources

Last Updated,Apr 30, 2024

Yellowstone’s Wolves: A Debate Over Their Role in the Park’s Ecosystem

Last Updated,Apr 23, 2024

Earth Day 2024: A Look at 3 Places Adapting Quickly to Fight Climate Change

Last Updated,Apr 22, 2024

Millions of Girls in Africa Will Miss HPV Shots After Merck Production Problem

Last Updated,Apr 18, 2024

This Lava Tube in Saudi Arabia Has Been a Human Refuge for 7,000 Years

Last Updated,Apr 17, 2024

Four Wild Ways to Save the Koala (That Just Might Work)

Last Updated,Apr 15, 2024

National Academy Asks Court to Strip Sackler Name From Endowment

Last Updated,Apr 12, 2024

Ways Industrial Copper Helps Energy Production

Last Updated,Apr 11, 2024

The Ins and Out of Industrial Conveyor Belts

Last Updated,Apr 10, 2024