A popular Scandinavian hotel chain has warned that a recent ransomware attack may have led to the theft of personal information related to bookings, while current guests are struggling with longer waiting times at check-in. Nordic Choice runs around 200 locations across the region, with brands such as Comfort, Clarion and Quality. It claimed to have been hit last Thursday with a ransomware attack which impacted “the hotel systems that handle reservations, check-in, check-out and creation of new room keys.” One guest took to social media to explain that hotel staff were forced to personally escort guests upstairs to their rooms because key cards were out-of-action. A press release dated Monday failed to mention the problem with room keys but revealed that the Conti variant was to blame. Conti has been responsible for large-scale attacks on Ireland’s Health Service Executive (HSE) and an outrageous $40 million ransom demand aimed at Broward County Public Schools in the US. Nordic Choice claimed to have put in place “replacement solutions” at most of its hotels to maintain operations following the incident and has informed the relevant Norwegian authorities. However, current, former, and future guests were warned about potential data theft.
Ransomware remains one of the major threats in the cybercrime landscape. It is vitally important to educate users on spotting and reporting phishing emails, which are often the way ransomware operators get an initial foothold on a network. Enable multi-factor authentication (MFA) for remote access points and virtual private networks (VPN) to mitigate brute-force attacks. Beyond that, implement endpoint monitoring with an EDR solution and have alerts triaged by an internal SOC or a managed service like Binary Defense. Have multiple backups, including offline backups, and a rigorous incident response plan to get back up and running quickly in the case of an incident. It is important, however, to prevent ransomware incidents rather than simply being prepared to recover quickly from them because ransomware groups have started threatening to leak exfiltrated data on their websites as a further means to extort victims.