Nordic Choice Hotels, SPAR Stores Are Latest Attack VictimsConti Ransomware Group Reportedly Behind Strike on Hotel Chain
Two separate massive cyber incidents recently occurred. One has disrupted services at 200 Nordic Choice Hotels in Europe, and the other - a cyberattack on a major supplier - has caused around 300 SPAR stores to temporarily close in the UK.
Nordic Choice Hotels, which runs 200 hotels across Scandinavia, Finland and the Baltics, confirmed on Monday that the Conti ransomware group was responsible for a cyberattack that crippled the hotel's guest reservation and room key card systems.
The same day, the Dutch-owned supermarket chain SPAR was forced to shut its U.K. stores after what it calls an "online attack" that disrupted its payment services. The U.K.’s National Cyber Security Center and Lancashire Police are currently investigating the attack, which is believed to have hit supplier James Hall & Co. in Preston, Lancashire, which operates SPAR’s tills and IT systems, according to a report by the BBC.
Neither SPAR nor Nordic Choice Hotels spokespeople were immediately available to comment.
Nordic Choice Hotels
The hotel chain released a note on Monday that attributed the Dec. 2 attack to the Conti ransomware group.
"On the night of 2 December, Nordic Choice Hotels was hit by a virus attack on our IT systems. The virus infected systems for bookings, check-in and check-out, as well as payment solutions. After the incident, we have worked around the clock with internal and external resources to get an overview of the extent of the event, as well as restore the systems so that the operation of the hotels can return to normal," the release states.
Conti is one of several Russian-speaking ransomware operations believed to be operating from countries that were formerly part of the Soviet Union that have continued to hit targets in the U.S. and Europe, causing widespread disruption.
The hotel chain says that it has informed the Norwegian Data Protection Authority and the Norwegian National Security Authority about the attack and that its investigations do not currently give any indication that data has been leaked. But the company said it can't guarantee that data has not been leaked.
"Therefore, the incident entails a risk that information about the guests' bookings may be lost. This information consists of name, email address, telephone number, date of the visit and any information the guest may have provided in connection with their visit," the company says.
Nordic Choice Hotels says that there is no indication that any card or payment information has been leaked.
“If Conti’s history is anything to go by, chances are information was leaked and access to their system may even be up for sale on the black market. The Conti ransomware gang has carried out hundreds of destructive attacks on companies around the world since March 2020," says Sam Curry, chief security officer at cybersecurity firm Cybereason.
The U.S. government, which has been tracking an increase in the pace of attacks tied to Conti ransomware, recently issued a joint cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency, warning that Conti has so far successfully hit more than 400 organizations based in the U.S. and abroad (see: Conti Ransomware Attacks Surging, US Government Warns and Celebrities' Data Dumped on Darknet Site After Hack).
"In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment," the advisory says.
To better secure against Conti attacks, the alert recommends a range of defenses, including "implementing the mitigation measures described in this advisory, which include requiring multifactor authentication, implementing network segmentation and keeping operating systems and software up to date."
Bjørn Arild Wisth, deputy CEO at Nordic Choice Hotels, says that over the weekend the company managed to apply replacement solutions, and work is currently in full swing to get everything back to normal operations.
Wisth says it will still take a few more days before everything gets back to normal.
"We do not know for sure yet, but since we see that there may be a risk that such information is leaked, we choose to inform about it now, so that our guests can be extra alert to any suspicious text messages, phone calls or emails," says Wisth. "Nordic Choice Hotels has chosen not to contact those behind the attack, nor have we received a specific demand from them. The matter has been reported, and we will assist the police in the investigation with all available information."
Curry recommends companies deploy endpoint detection and response software on their endpoints to stop the Conti scourge. He also recommends keeping systems patched and regularly reminding employees not to open attachments from unknown sources or visit dubious websites, and to back up files to remote servers and protect networks by using organizational firewalls, proxies, web filtering and mail filtering.
Carl Wearn, head of e-crime at Mimecast, tells Information Security Media Group that the incident highlights the impact that ransomware can have on everyday life.
He says these attacks can be expensive, and Mimecast has found that the average ransom payment in the U.K. is 628,606 pounds, while the average amount of downtime is six days.
In a second major attack this week, a SPAR supermarket in the U.K. said on Twitter: "There has been an online attack on our IT systems which is affecting stores' ability to process card payments, meaning that a number of SPAR stores are currently closed. We apologize for any inconvenience, we are working as quickly as possible to resolve the situation."
On Monday, in a Facebook post, SPAR said that it is aware of an online attack on its IT system. It says the attack has not affected all SPAR stores across the north of England, but a number have been affected over the past 24 hours, and it is working to resolve this situation as quickly as possible.
The company said that the attack is currently affecting stores' ability to process card payments, meaning that some SPAR stores are currently closed to shoppers or only taking cash payments. This fits in with the BBC report that the initial victim was SPAR’s tills and IT systems provider, James Hall & Co.
On Tuesday SPAR did not provide any updates about the situation. Stores that are open are only accepting cash payments.
Supply Chain Attack Concerns
"This attack is a perfect illustration of how quickly the consequences a cyberattack can spread throughout a supply chain. SPAR’s franchise model means that hundreds of small businesses share the same systems, meaning an attack on one quickly becomes an attack on all," says Jamie Akhtar, CEO and co-founder of CyberSmart. "We’re increasingly seeing cybercriminals use these tactics to target large businesses - some 80% of attacks now begin in the supply chain."
Brian Higgins, security specialist at Comparitech, tells ISMG that this attack looks like a supply chain attack at first glance. He says it is very difficult to ensure that every link in the supply chain has appropriate cybersecurity measures in place, and it only takes one vulnerable point to allow criminals into a network.
"Once they’re in, the knock-on effects can be catastrophic. The timing might also be indicative of a planned attack as most retailers don’t run a full back-office service at weekends. I’m sure there will be a full investigation. It can often be counterproductive to speculate on motive, etc., during an ongoing incident," Higgins says.
Curry recommends not paying ransoms as it doesn't pay to do so unless it is a matter of life or death, or national emergency. Cybereason's ransomware study of more than 1,200 global organizations found that 80% of companies that paid a ransom were hit a second time, often by the same attackers, Curry says.
Matt Aldridge, principal solutions consultant at Carbonite + Webroot, says SPAR is "one of a growing number of retail organizations affected by extortion attacks on their critical systems. Retail, particularly, is one of the industries most vulnerable to ransomware and distributed denial-of-service attacks. Even a few hours of disruption to systems can cause inconvenience to customers and lead to millions of pounds of losses."