Play ransomware group claims to have stolen hotel chain data
H-Hotels, a large hospitality chain with 60 hotels across several countries including Germany and Switzerland has announced it has fallen victim to a ransomware attack. The incident, which took place on December 11, is allegedly a double whammy of hijacked devices and data theft…if a ransomware group is telling the truth.
Another day, another ransomware press release
From the H-Hotel release:
“…unknown persons carried out a cyber attack on the IT network of the hotel company H-Hotels.com, which led to restrictions in digital communication. The cyber attack was discovered by the hotel company’s IT security systems on Sunday. According to initial findings by internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational IT protection systems in a professional attack.”
The release goes on to say that although bookings are still taking place, email is unavailable as H-Hotels examines all systems to ensure they are no longer compromised. Importantly, H-Hotels claims that there is “no indication” that personal data has been stolen as a result of the attack.
Sadly, this may no longer be the case if what a ransomware gang claims to be true turns out to be accurate.
Play time
Play ransomware is a fairly new addition to the ransomware scene, most notably causing mayhem for the city of Antwerp not so long ago with major digital systems coming to a standstill. When the group claims a juicy target, they post up the details to their leak site alongside the data they claim to have stolen. The typical game plan is to encrypt files, and then threaten to leak files if their demands are not met.
If you’re caught out by Play ransomware, you’ll know quite quickly on account of your files suddenly displaying the .play extension and a ReadMe.txt file containing little more than the word “Play” and an email address.
Play has indeed claimed responsibility for this attack, with H-Hotels joining the growing list of guest appearances on the leak page. There is no indication how much data has been stolen, but the listing mentions “Private, personal data, clients documents, passports, ID, etc”. The proposed publication date for some or all of these files should demands not be met is currently tagged as December 27.
Assuming this is true, it remains to be seen what H-Hotel’s next steps are.
Keeping ransomware at bay
Tackling ransomware can feel overwhelming, especially as even the biggest of organisations fall victim to double or triple threat tactics. Even so, there are many options available to your organisation.
A little recovery time
Don’t wait until ransomware is in your network and encrypting everything to ask if someone has a backup. Get ahead of the curve, and see if you can come up with a suitable and cost effective way to recover your data and prevent further encroachment on your network. When an attack happens, who is contacted first? Who is the emergency response? Which data is the most crucial and sensitive? Has it already been encrypted by your business to prevent network intruders taking a peek?
You should also have an idea of who to make outreach to after an incident, and in what order. Law enforcement, cyber insurance (if you have it), external security contractors may well be some of the first entities on your list.
Testing for timeliness
It’s always a good idea to keep your systems updated, along with your security tools. However: just like those businesses which only consider backups once the damage has been done, there are many out there not running regular scans or ensuring everything is working as it should be. You don’t want to be in the middle of an incident and then find out your licences expired three months ago.
On a similar note, it’s the obvious attack targets which don’t receive enough care and attention from admins. So many compromises are as a result of unsecured Remote Desktop Protocol brute forcing. Make sure you set those passwords in the first place, and limit the rate that individuals can keep trying to log in before being locked out.
3. A valuable set of tools
As you’ve gathered, speed and a calm head is of the essence when dropped into a ransomware incident. You want your Endpoint Detection and Response (EDR) tools to work fast, and with as little friction as possible. Identifying and isolating infected devices, spotting behaviour which resembles ransomware activity, and assisting with file recovery where possible are all extremely useful when that alarm bell starts to ring.
Additional assistance in the form of rogue website blocking, prevention of exploits and malvertising, and brute force protection will all serve you very well.
We have a lot more information with regard to simplifying the fight against ransomware, alongside multiple reports and guides for best practice and overviews of the ransomware landscape generally.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.