Nordic Choice Hotels hit by Conti ransomware, no ransom demand yet

Nordic Choice Hotels has now confirmed a cyber attack on its systems from the Conti ransomware group.

The incident primarily affects the hotel’s guest reservation and room key card systems.

Although there is no indication that passwords or payment information were affected, guest booking information was potentially leaked.

With its brands Comfort, Quality and Clarion, the Scandinavian hotel chain employs over 16,000 people and has 200 properties across Scandinavia, Finland and the Baltics.

Key card out of order

Earlier this week, the Nordic Choice Hotels group announced that their IT systems were affected by a “computer virus” on Thursday 2 December.

The incident left hotel staff without access to the hotel’s reservation systems, which manage check-in, check-out, payments and bookings.

Although staff switched to manual procedures to perform business operations, the hotel informed guests that delays were to be expected.

Members are currently unable to log in to their Nordic Choice Hotels accounts to book and manage reservations or use reward points, although it is still possible to book stays without being logged in:

Nordic Choice Hotel's systems are still facing technical problems
Nordic Choice Hotel’s systems still face ‘technical problems’ (BleepingComputer)

A subsequent blog post from the hospitality group confirmed that the scope of the event will be extended to Nordic Choice Club members in addition to the current hotel guests.

One of the hotel’s guests, security researcher Runa Sandvik, also reported that key cards were out of order:

No ransom requirement yet, law enforcement engaged

Law enforcement agencies, including the Norwegian Data Protection Authority and the Norwegian National Security Authority, were notified of the attack by the hotel company on 2 December – the same day as the attack.

“Our investigations at this time do not give any indication that data has been leaked, but we can not guarantee that this is the case. Therefore, the incident carries a risk that information about guests’ reservations may be lost,” the company explains in a release .

“This information consists of name, email address, telephone number, date of visit and any information that the guest may have provided in connection with their visit. There is no indication that card or payment information has been leaked.”

Although the hospitality group may not be sure of any data leak yet, the decision to be transparent and inform its members about the incident is an attempt to keep them alert to any suspicious communications – texts, messages, phone calls or emails that may be directed at them.

At present, the hotel group has “chosen not to contact” the threatening actors behind the attack, nor have they received a ransom demand from the Conti-ransomware group.

BleepingComputer also did not encounter the hotel group’s name on Conti’s data leak sites, indicating that the ransomware attack is in its early stages and that negotiations may not have begun yet.

Conti ransomware is a private Ransomware-as-a-Service (RaaS) operation believed to be controlled by a Russian-based cybercrime group known as Wizard Spider.

Conti shares some of its code with the infamous Ryuk Ransomware, whose TrickBot distribution channels they started using after Ryuk activity dropped around July 2020.

This ransomware gang has previously targeted a dozen health and first aid organizations and police department systems.

Earlier this year, Conti broke the network of the Irish Health Service Executive (HSE) and the Department of Health (DoH) and asked the former to pay a ransom of $ 20 million after encrypting its systems.

“This weekend we have succeeded in introducing replacement solutions in most of our hotels. The work is now in full swing to get everyone back to normal operation, something we believe will be done within the next few days,” says Bjørn Arild Wisth, Deputy CEO of Nordic Choice Hotels.

Over the next few days, while the company works on law enforcement to counter the cyber attack, some hotel properties may continue to experience delays in check-in, check-out and reservation processes.

“Our customer center currently has limited opportunity to change and add bookings, but is in place to be able to answer any questions. In that case, we recommend that you send us an email at [email protected] or use our website for further information, “advises Nordic Choice Hotels.


Leave a Reply

Your email address will not be published.