Cyber Incident? Get Help

We have been attacked: Techotel live blogs the aftermath of a ransomware takedown

Featured Image for We have been attacked: Techotel live blogs the aftermath of a ransomware takedown

We have problems — words that nobody wants to read as countless guests wait in various stages of limbo at hotels they cannot check into. After three hours of silence, the problem begins to crystallize; European hotel management software provider Techotel has become a victim of ransomware and, unable to access critical systems to notify its vendors, live blogged its response

The saga of Techotel’s courageous battle is recounted below, with hours turning to days, turning to weeks in the fight against ransomware and criminal threat actors. This is a story of desperation, exasperation, hope, humanity, and resilience. Please note that all time stamps are in UTC.

We have been attacked by virus. Nothing is wrong with our cloud. We will work together with antivirus specialists to solve this. – Techotel blog June 9, 06:52.

On June 9, at 03:53, the Denmark-headquartered Techotel made the unusual and truly commendable decision to begin live-blogging following issues with their Danish, Swedish, and Irish Picasso hotel system. Unfortunately, roughly four hours later, their IT staff concluded they had been hit by ransomware, and their email was inaccessible.

To pay or not to pay?

Technicians worked for several hours, while thousands of guests were affected in several hundred hotels across Europe. At 13:29, Techotel announced they expected to be contacted by Eagle Shark, a remediation firm, regarding the ransomware amount. The issue would take five to ten hours to fix. Little did they know that acquiring the bitcoin necessary to pay the ransom would be another hurdle.

Ransomware, a subset of malware, continues to rise in infamy and frequency. According to the 2020 Coalition Claims Report, it is the most common cyber incident accounting for 41% of all reported claims. The 2020 Verizon DBIR found that ransomware incidents have doubled in the last year — a troubling statistic regarding an attack vector that shows no signs of slowing down.

Ten hours came and went. Techotel did not hear from the “bandits” until the morning of June 10. Money laundering regulations complicated efforts to acquire the necessary bitcoin and Techotel was forced to negotiate with their bank as well as their attacker. Ultimately, an agreement to acquire the bitcoin and pay the ransom was not signed until 15:46 on June 10.

We and Eagelshark.com were informed about the amount we have to pay, it is much more than we expected! We have pay in Bitcoins to get access to the data. It is large sum that we need to transfer. – Techotel blog June 6, 12:51.

The difficult work of decryption

It was late when Techotel received the decryption keys  —  22:51 p.m. on June 10 —  the estimated deadline to restore service had long since passed, and their technical staff, who had been working in teams of two, was undoubtedly wearry.

We need to sleep now. We are not live, but will continue Friday at 10:30. –Techotel blog June 11, 04:00

At 10:43 on June 11, Team 1 announced their files had been encrypted over four times, and decryption would be complex. Team 1 was forced to contact the bandits while Team 2 attempted to involve another specialist. Team 1 wrote scripts to decrypt the files as morning turned to night, while Team 2 worked to decrypt the SQL hotel data.Two other teams were looped in to address other systems.

Tip: All policyholders with an issue, please call 24x7 toll free at +1 833 866 1337 or email claims@coalitioninc.com. Don’t wait to get in touch.

By the evening, Techotel’s blog noted that they were now working with the bandits to restore their systems. Almost comically, but certainly optimistically, they noted that they believed there was a slight chance that hotel systems would go live again in the evening. Instead, days pass. The Eagle Shark team continued to work on decrypting the files while Techotel contacted the Danish Data Protection Agency. On June 14 at 12:45 Techotel blogged that they expect Picasso to be up and running within the week.

The dangers of business interruption

Ransomware attacks can make or break many businesses and not just because of hefty ransoms. Business interruptions can cause additional expenses as you struggle to get back online, a fight that is not necessarily over once the attackers turn over their decryption keys.

We have installed 3 new Domain Controllers last night. However, we need to re-install all of our servers to be sure, that we don't have any hidden virus files. – Techotel blog June 15, 08:55.

As mid-June crept up, Techotel continued the restoration process with five teams working to restore their data and critical systems. However, the optimism vanished from their blog updates on June 17; they admitted they did not have the data required to bring their systems back online.

The decryption of logins and printers continued with Eagle Shark remaining on hand to assist. Good news appeared on June 30 as Techotel announced Integration to Digital Guest Book was live. Finally, on July 3, nearly a month after the incident began, a simple, the blog announced: “Yield Planet are sending reservations directly into Picasso again :-) Reservations you have manually entered by hand, will automatically be synchronized.”

What could have prevented this?

  • Cyber extortion:Costs to respond to an extortion incident, up to and including payment of a ransom demand

  • Breach response:Costs to respond to a security failure or data breach, including 3rd party incident response and public relations experts, customer notification costs when required by a privacy statute or regulation and credit monitoring, media purchases, and legal fees

  • Business interruption and extra expense:Financial losses resulting from a failure in your security, data breach, and even systems failure, as well as the extra expenses you incur to bring your company back online

  • Crisis management:Voluntary notification costs, even if no PII was accessed but the clients wants to provide notification or credit monitoring services to their customers

  • Digital asset restoration:Costs to help recover or recreate digital assets that have been destroyed via the encryption and/or decryption process of the ransomware event

Coalition also enables policyholders to manage their digital risk exposure with Coalition Control, our integrated risk management platform. Through Control, access our Automated Scanning & Monitoring, which finds organizational risk and shows you how to fix it before the unthinkable happens. Sign up with just your email address and start controlling your risk right away.