Help, my hotel was kidnapped!
In my article The Cyberhoteleiro Comes From There! , I promised to address the topics of business continuity, security and privacy within the scope of cybersecurity. I'm even afraid that by now they'll call me “The paranoid guy on duty”. Not because they want to belittle me or others who, like me, suffer from this clinical condition, but because it seems to correspond to behavior characterized by paranoia, with an invasive pattern of distrust and generalized suspicion towards others, interpreting their intentions as malevolent.( I'll warn you that this article is going to be long. I'm just trying to help our cyber hoteliers deal better with an increasingly common situation.)
Imagine then that you are at the peak of your hotel season and that (due to the excellent work carried out) your magnificent hotel unit is completely occupied. Without any warning, your guests are no longer able to enter their rooms because the electronic locks do not work, your reservation and management system is blocked, and there is a message demanding the payment of an amount to unblock the situation.
It seems absurd, right? No, it's not absurd. It is a reality!
Last January it took place at the Romantik Seehotel Jaegerwirt, in Austria, a four-star hotel next to a lake in the Alps. After paying €1,500.00 to cybercriminals, its director decided to make the case public .
While this may, at first glance, be a typical case of Ransomware , what makes it different is that this may well be the first documented case of Ransomware of Things (RoT), also known as Jackware . These terms are used when trying to classify Malware that targets internet of things (IoT) devices, demanding a certain amount to 'rescue' the devices and restore their normal functioning. With more and more 'things' connected to the internet, this is a growing attack vector .
However, in any case, all of this falls into the same category and it is necessary to start by understanding that what is a threat for some is a business for others .
In recent times, cybercriminals have managed to infect millions of computers, extorting money from their users and enabling ransomware to reach new levels of maturity and threat, with these organized crime groups being driven by a modern 'gold rush'.
At this point, a change in behavior was detected, moving from an indiscriminate attack to an attack aimed at institutions and companies with precise targets, denoting an expertise and technique with characteristics of cyberespionage .
On the other hand, some of these groups still provide ransomware as a service (RaaS), expanding their revenue base to other criminals who, with little technical knowledge, want to enter the 'business' - a business that the FBI estimates will have yielded billions of dollars to cybercriminal groups, with the average value per 'ransom' doubling in just two years.
It is also important to address the attack vectors – the way in which the infection reaches its target – which, like the activity itself, have undergone evolution.
The best known and perhaps the one that hoteliers most easily recognize is the malicious email, usually containing attached files that, once opened, release the infection and leave the machine at the attacker's mercy. Of course, attackers try to make these emails appear as legitimate as possible, and it is common to find references to unpaid invoices, shipping orders or requests to confirm details of a certain account. Luckily, much of it is written in English, and just for fun I suggest you test your malicious email identification skills here .
There are still those who dare to try Portuguese, and most of them are easily detected depending on the semantic quality (or lack thereof) or the spelling used. However, pay close attention because recently there have been some very well 'put together' and written in good Portuguese circulating.
Another attack vector used are Exploit Kits or vulnerability exploitation kits (EKs), in which attackers take advantage of vulnerabilities in servers or applications to inject these 'weapons' allowing them, for example, to insert false links into emails, in social media posts or in web advertising and redirect traffic to fake websites thus distributing their malicious content.
There are still a few more attack vectors, which are starting to be abandoned to the detriment of the one that is thought to have rapid growth during 2017, as a vector and attack platform: the IoT device (internet of things), that is, devices connected to the Internet. Among cars, cell phones, CCTV circuits, smartTV, HAVAC systems, refrigerators and washing machines, etc., we have recently witnessed, whether through the presentation of proofs of concept or in real cases, the use of these IoT platforms to carry out attacks. The low level of security of these platforms, however, provides the conditions for a perfect storm in the coming years, allowing cybercriminals to easily spread their 'content' or coordinate large-scale attacks .
Returning to our Austrian example, let's analyze the options and decisions your director had to face.
You probably started by considering hiring a cybersecurity company to respond and mitigate the situation by reestablishing the operation, but you quickly realized that it would be much more expensive than paying the ransom. You may then have considered replacing the systems, an option that would once again be much more expensive than paying the ransom, in addition to not being quick to implement. Given the reality of the facts, the most efficient solution was to pay the ransom and this will be the future reality if things do not change and cybercriminals realize that they can extort a lot of money with it.
Let's be practical: ransomware is not a new thing in the Hotel Industry, where I have seen some cases where the loss was practically total. However, until now the target was the data and in this case there may be backup copies. With the Ransomware of Things the objective becomes to paralyze a piece of equipment or system until the ransom is paid, which - in the case of companies - means stopping a business, and in the case of the Hotel Industry we know what that means. So, paying can be a perfectly understandable option – if to recover millions of revenue I have to pay a few hundred thousand, we all start to wonder if it might not be more logical to pay the ransom.
I hope that by now I have managed to convey the idea that credit cards are not the only risk and that a culture of cybersecurity is necessary in hotels . For me, the question here is who do you prefer to do 'business' with: cybercriminals or companies?
Of course, at some point one may come to the conclusion that paying is a way of 'solving' the situation, but doing so because the risks were not taken into account and money and time were not invested in the security of the unit's systems. hotel and, consequently, its systems, employees and guests, is to perpetuate the situation.
A safe environment, whether physical or digital, depends primarily on people . As this is an essential component of preventing and detecting threats, it is necessary to teach, train and train employees at your hotel unit .
Computer security in a hotel must have a strategy and concrete objectives, and there must be a risk analysis for each of the technological components to be considered. Therefore, to prevent and detect, whatever it may be, it first involves thinking, defining and applying it .
When there is already a strategy, objectives and policy defined for information systems, then it remains to apply the technology taking into account what has been defined and the associated risks.
Most of the aftermaths carried out after an attack revealed that several deficiencies in the systems were taken advantage of, such as lack of updates, implementation and configuration of systems without changing default passwords and poor application of internal policies and procedures. Defending your hotel involves things as simple as:
Remember that the cybercriminal usually needs the 'collaboration' of users to achieve their objective – click on something, visit a web address or make a download .
Back to the events in Austria, and the €1,500.00 it cost to resolve the situation. The hotel director confirmed that he had already suffered three previous attacks, but this time the 'friends of cybernetics' managed to block the systems, namely the locks, making it impossible for guests to enter their accommodation and severely affecting operations, finding themselves with no other option. option but to pay as neither the police nor insurance help in these cases.
Police assistance may occur, but it is always more oriented towards protecting another type of infrastructure than that of a hotel. However, filing a complaint should always happen. Regarding insurance, some policies for companies with coverage for cyber incidents are beginning to appear, especially abroad, in which the insurer provides professional help in resolving situations, but as you can imagine, they are not exactly cheap, and cost-benefit must be considered. of the solution.
However, our Austrian director also stated that after the respective ransom was paid, more attacks occurred and that a fourth attack was repelled as the systems had already been updated, new security standards had been implemented and some of the networks reorganized.
Not wanting to judge this hotel director, especially because obtaining a budget for cybersecurity is always a battle, the truth is that it was only the third time that this hotel unit implemented the necessary security to prevent the consequences of this attack.
The cost of this problem was not just €1,500.00 (plus what was previously paid). The true cost of an attack goes far beyond this:
Therefore, and because “prevention is better than cure”, my dear cyber hotelier, fight for a budget dedicated to protecting the productivity, continuity, reputation and security of the business , which includes the ability to deal with “before it happens” and so on. make it difficult and often prevent a kidnapping at your hotel.
WANT TO KNOW MORE?
