Ransomware Brings Down Large International Hotel Chain

Posted by Trevagh Stankard on Tue, Nov 9th, 2021

Normally, a disrupting ransomware attack on a prominent hotel chain would garner major headlines.  However, this story got buried under a barrage of headlines concerning an even bigger cyber event.  That was the day that Facebook, Instagram, and WhatsApp were brought down by a DNS disruption caused by a BGP update.  The outage affected some 3.5 billion people.  Messages couldn’t be sent, social media posting came to a standstill, and Facebook employees reportedly couldn’t use their keycards to enter buildings or access some systems. 

Melia’ Hotel Falls Victim to Cyberattack

So, while the media focused on the global disruption affecting billions, October 4, Meliá Hotels International, the 17th largest global hotel chain was dealing with their own cyber issues.  The hotel chain’s operations were brought down by a cyberattack which experts attributed to ransomware.  While disruption was primarily limited to its Spain-based operations, the global reservation system and public websites were brought down as some of company’s web servers were inaccessible.  Many of the hotel’s web visitors received error messages when attempting to visit the website.  No ransomware gang has publicly taken credit for the attack, nor has any of the hotel’s data appeared on the dark web. 

The Value of an Incident Response Plan

Indications are that the hotel had some type of incident response plan and was prepared for this type of event.  In a public statement, the hotel confirmed it had activated its response protocols and had managed to contain the attack.  It stated that its internal crisis committee had activated its business continuity plans and that remediating efforts were taking place.  Days later, the company managed to restore the affected systems from backup and hotel guests could once again expect normal operations. 

Securing Your Backups

The attack on Meliá Hotels International demonstrates just how critical a well-designed backup strategy is this new era of ransomware.  Your backup is the last line of defense, many times serving as the knight in shining armor that saves the day in the end.  While the traditional 3-2-1 backup strategy (3 copies of your data on two different media with one copy offsite), is still relevant as a foundational approach to recovering from a data loss event such as ransomware, today’s ransomware environment is also forcing companies to secure their backup systems.  Experienced ransomware gangs now implement a preliminary attack on a victim’s backup system first to take it out prior to the main frontal attack.  Once the backups have been eliminated, the targeted victim has far few options on the table other than to pay the ransom.

Security Tips for your Backups

Protecting your backups from a dedicated cyberattack begins with sound architecture.  Too often, companies host their backup server on the same virtualized infrastructure it is supposed to backup.  Because most servers today are virtualized, VMware and Hyper-V environments are prime targets during an attack.  The goal of attackers is to cripple these systems by taking out the host and management servers and encrypting the virtual data stores.  Of course, if the virtual infrastructure is eliminated, your backup system is to.  That is why experts today highly recommend that you host your backup system on a physical server that is segmented from your virtual environment.  Its also recommended that you not join your backup servers to Active Directory.  There are so many ways to gain access to AD accounts and once an AD account that has privileged access to the backup system is compromised, the attackers have complete access to your backups.  You should only use local administrator accounts that are protected by both a highly complex password of at least 14 characters and supplemented by some type of multifactor authentication (MFA).

The Importance of Security Filtering

Of course, the best way to protect yourself against ransomware is to stop the attacks in the first place.  This means shoring up the most common attack avenues that ransomware gangs commonly exploit.  According to the Cybersecurity and Infrastructure Security Agency (CISA), customary ransomware attack methods in 2021 involve email phishing campaigns, RDP vulnerabilities and software vulnerabilities.  As a result, many enterprises no longer provide RDP access from outside the network perimeter other than through a VPN connection.  A strict adherence to patching and updating will also go a long way to reduce the number of exploitable software vulnerabilities across your IT estate.

Organizations must adapt to counterbalance these cyber-threats, no matter what form they take. Ransomware must be stopped before the point of entry and not left to be dealt with after an attack has taken hold. The use of social engineering to manipulate users, along with stolen data and credentials to propagate attacks, and adaptive tools that evade detection, makes ransomware a formidable security threat. ‘Nipping ransomware in the bud’ is a strategic move by an organization to contain this threat. Endpoint protection is clearly not enough.

The use of a smart email security and web filtering solutions designed for complex threats like ransomware can detect threats in real-time before they become an infection. Unlike traditional endpoint anti-malware, these advanced solutions perform real-time updates and protect against active and emerging phishing URLs and threats. Cybercriminals are masters of invention and have many tricks up their sleeve, however, businesses can fight back, but to do so, they must take real-time action.

Want to make sure your network and organization are secure against threats internally and externally? Download the Complete Network Security Checklist.