Play Ransomware Targets H-Hotels After City of Antwerp and Córdoba Judiciary
Play ransomware added H-Hotels to its leak site and claimed to have stolen personal data, client documents, passports, and other identification.
German hospitality chain H-Hotels have recently been targeted in a cyberattack claimed by the Play ransomware gang. The ransomware attack has crippled the company’s communications systems.
Last week, H-Hotels confirmed that it was struck on Sunday, December 11, 2022, without mentioning it as a ransomware incident and, by extension, without naming the group responsible.
Play ransomware claimed to have carried out the attack, wherein the cybercriminal reportedly stole undisclosed data. The group claimed to have stolen personal data, client documents, passports, other identification, and more, and added H-Hotels to its leak site on the Tor network but hasn’t leaked any data yet.
H-Hotels on Play Ransomware Leak Site | Source: BleepingComputer
On Tuesday, December 20, 2022, the hotel chain, which operates 60 properties under six brands across Germany, Austria, Switzerland, Hungary, and France, confirmed the data exfiltration and added that personal data could have been stolen.
“The attackers managed to break through the multi-level technical barriers and IT protection systems and steal data using a complex and highly professional attack. In the course of the ongoing investigations, the suspicion seems to be confirmed that personal data (e.g. name, address, e-mail address) could also have been affected by the data theft,” H-Hotels said.
“The group of perpetrators provided relevant information that cannot be verified with regard to accuracy, which also does not rule out the possibility of theft of personal data.”
See More: Ransomware and SaaS data: The Threat is Real
Mark Lamb, CEO of HighGround.io, told Spiceworks, “It is unclear whether the claims from the Play criminal gang are genuine, so H-Hotels must investigate this urgently as ID cards and passports are the kinds of documents no one ever wants to have floating about on the dark web, particularly as changing them can be a big inconvenience during the holiday season.”
The Play ransomware gang shares tactics, techniques and procedures (TTPs) with the Hive and Nokayawa ransomware families. Play ransomware threat actors are known to exploit domain, local, and virtual private network (VPN) accounts, exposed remote desktop protocol (RDP) servers, and FortiOS vulnerabilities CVE-2018-13379 and CVE-2020-12812, according to Trend Micro.
A CrowdStrike report dated December 2 also noted that the Play gang, whose victims first surfaced on BleepingComputer forums in June 2022, also exploits CVE-2022-41080 and CVE-2022-41082, i.e., ProxyNotShell vulnerabilities in Microsoft Exchange.
“Even though the Play ransomware gang is a relatively new group, it has solidified its reputation as a significant threat, claiming responsibility for devastating attacks against Argentina’s Judiciary of Córdoba in August and Belgium’s city of Antwerp several weeks ago,” Nick Tausek, lead security automation architect at Swimlane, told Spiceworks.
“Now, it has claimed responsibility for attacks against a major European hotel chain, H-Hotels, that has caused communications outages at the height of the travel and holiday season.”
The December 2022 attack on Antwerp, which also impacted Diest in Belgium, downed the IT systems of all city services. Targeted in August 2022, Argentina’s Judiciary of Córdoba was sent to the 20th century requiring officials to use pen and paper for official documents.
“While Play had previously focused on attacking local governments that have limited cybersecurity infrastructure in place, it is important to note that the group was able to infiltrate an extensive protection network, signifying that Play has developed capabilities to launch more professional attacks,” Tausek added.
H-Hotels has engaged IT forensic experts and has apprised data protection authorities of the incident.
Tausek suggested the adoption of low-code security automation for complete visibility and real-time threat detection and response.
Lamb added, “This incident once again highlights that the prevention of attacks should always be the primary goal, as the remediation of security incidents can often take months and be very costly.”
“This means training staff of hacking techniques and ensuring businesses employ good cyber hygiene practices, like patching vulnerabilities and keeping software up to date. It is also vital that businesses have an easy way to assess their cybersecurity posture, so they can quickly identify weaknesses that could be maliciously exploited.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ON RANSOMWARE
