Nordic Choice Hotels hit with Conti Ransomware

Nordic Choice Hotels, a giant hospitality franchise with over 200 hotels, has confirmed it was subject to a ransomware attack on its systems by the infamous Conti ransomware group, greatly impacting the hotel company’s guest reservation and room key card systems.  

The Scandinavian hotel company includes brands like Comfort, Quality, and Clarion, and has 200 properties across Scandinavia and the Baltics, with over 16,000 employees. 

Technical difficulties were first confirmed by Nordic Choice Hotels last week, the chain stating that their IT systems were “affected by a virus during the night towards December 2” and that “The virus primarily affected our internal systems for booking, checking in and out and payment solutions”. The hotels had been forced to rely on “manual processes”. 

In a further statement yesterday, Nordic Choice confirmed that Conti ransomware was responsible for the attack. They also stated that their “investigations do not currently give any indication that data has been leaked”, although they “can’t guarantee that is the case”. 

Currently, the hotel chain maintains “There is no indication that card or payment information has been leaked”. 

IT systems affected 

Primarily, the ransomware attack has left hotel staff unable to access Nordic Choice’s reservation systems, which manages bookings, check-ins, check-outs, and payments. While staff have switched to manual processes and procedures to keep business operations going. 

Although hotel staff have switched to manual procedures to carry out business operations, Nordic Choice warns guests of “longer queue and waiting time” due to the cyber-attack and the “busy pre-Christmas period”. It has also been confirmed by security researcher Runa Sandvik, one of the hotel guests at Nordic Choice, that key cards are reportedly out of service as well. 

Currently, the disruption extends to Nordic Choice Club Hotel accounts, with hotel guests and Nordic Choice Club Members being unable to log in and access their accounts to book and manage reservations, or apply reward points.  

It is, however, possible to book reservations without logging in. 

There is also the potential risk, although unconfirmed at the moment, that guests' bookings may have been lost and information stolen.  

Information at possible risk includes:  

• Guest names. 
• Email addresses.  
• Telephone numbers.  
• Date of the visit and any information the guest may have given in relation to their visit.  

If leaked, these could be used to perform highly-sophisticated, spear-phishing attacks. While there isn’t confirmation of any data leak yet, it’s advised that members are alert and are wary of any suspicious communications directed at them via email, texts, messages, phone calls and so on. 

For any further information, Nordic Choice recommends that affected parties look on their website or send them queries via email at [email protected]. 

Conti ransomware group 

Conti ransomware is comes from a Ransomware-as-a-Service (RaaS) group that is believed to be Russian-based and also known as Wizard Spider. The ransomware group has previously been linked to attacks on healthcare and first responder organisations as well as police department systems and number of other organisations. 

Earlier this year, Conti launched attacks against Graff, a high-profile jewellers that catered to a number of celebrities including the Trumps and Oprah, and Sandhills Global, an Iowan agricultural group. 

In regards to this latest attack, Nordic Choice have stated they have “chosen not to contact” the Conti ransomware group and haven’t received a ransom demand from said group as of yet. 

Further confirming this, BleepingComputer was unable to find the hotel company’s name on any of Conti's data leak pages, meaning that the ransomware attack is likely in its early stages and any potential negotiations haven’t been initiated, at least yet. 

“Over the weekend, we have managed to put in place replacement solutions at most of our hotels. The work is now in full swing to get everyone back into normal operation, something we think will be done within the next few days,” said Bjørn Arild Wisth, Deputy CEO of Nordic Choice Hotels. 

Nordic Choice have confirmed they’re working with law enforcement. They also stated they notified the Norwegian Data Protection Authority and Norwegian National Security Authority on the day of the attack.