Ransomware Out Of Control

The hotel Romantik Seehotel Jaegerwirt, a 4 star hotel in the Austrian Alps, decided to pay a ransom of 1,500 Euros in bitcoin after hackers broke into the hotel’s systems and locked all the guests out of their rooms.

Kind of a downside of the Internet of Things.

If you can unlock your hotel room door from your smartphone, hackers can disrupt that system and stop you from doing that.

In addition, new card keys could not be programmed.

IF the only way that you can open a guest room is via a card key, that would be very difficult to hack because those doors are typically not directly connected to a central system .  However, if the hotel, like many luxury hotels, allowed guests to open their room doors using their smartphones, then that requires a connected lock.  And that the hackers can attack.

In addition to the room key system, the hotel’s reservation system and even the cash control system were compromised.

The hotel has been hit by at least three ransomware attacks, all of which resulted in the hotel paying the ransom.

But apparently three attacks was not enough to lock down the systems sufficiently to keep the hackers out.

In another attack revealed this week, the city of Cockrell Hill (population around 4,000, southwest of downtown Dallas, TX.) was hit by a ransomware attack that  compromised the police department’s evidence system.

The hackers asked for $4,000 in bitcoin.

In the universe of alternate facts, the Cockrell Hill police chief said that this was not the work of hackers.  If not hackers, then who would get the requested ransom?

The Chief also said that no confidential information was breached or obtained by outside parties.  While this is possibly true, given the system was encrypted , I am not quite clear how the Chief might have looked at the log files to make that determination.  Assuming sufficient log files even existed.

The Chief says that the non-hacker was likely from Ukraine or Russia and that the compromise was a result of someone clicking on a link in email that looked like it came from inside the department.

Chief Barlag decided not to pay the ransom after the FBI told him that it could not guarantee that they would get their data back if they spent the four grand.

Instead they decided to wipe the system clean,  losing any possibility of recovering the data.  I guess they told the non-hackers who is boss!

The Chief said that none of the information was critical.

The hacking was discovered on December 12th, but the department chose not to disclose the fact to defense attorneys or the court until a judge in Cockrell Hill “asked” the police why they had not turned over the requested evidence.

The videos and other documents lost date back to 2009.  Some were backed up to CDs and paper documents.  What was not backed up is gone.

The Chief said that no cases had been dismissed YET as a result of the loss of evidence, but given that the police had not disclosed that they didn’t have the evidence any more, that is not a big surprise.

While I don’t know, I suspect that at least some cases will be dismissed as a result of the police department’s poor backup strategy (apparently they had a single generation of backup and didn’t discover the ransomware until after the backups were also encrypted) and decision not to spend $4,000.  Some criminals will likely wind up back on the street.

Given that, at last report a while back, the FBI’s Internet Crime Complaint Center  says that they receive over 4,000 reports of ransomware every day, these two events are not a huge surprise, but it does point to the fact that no one is immune.

A 180 room hotel in Austria and the police department of a city of 4,000.  Neither one of these entities are high profile, large or rich.  Given that the attackers are only asking a few thousand dollars (1,500 Euros and $4,000), the victims don’t have to be large, famous or rich.  In fact, preying on small, low end victims probably improves the odds for the attackers.  They assume that the victims have an immature or non existent cyber security program and a small and possibly outsourced IT department.  This makes the victims easy to attack with little to no defense and little to no ability to recover.

We have both sides of the coin here.

In the case of the hotel, they opted to pay rather than having 180 rooms full of guests leave without their possessions – and likely sue the hotel for damages.  In the case of the police, they opted not to pay knowing that some criminals will likely get off scot-free.

These cases point to the fact that everyone needs to be ready in case they are the next target.

Information for this post came from The Local and WFAA Dallas.

Leave a Reply

Your email address will not be published.