Hackers Use New Tactic at Austrian Hotel: Locking the Doors
By DAN BILEFSKYJAN. 30, 2017
The ransom demand arrived one recent morning by email, after about a dozen guests were locked out of their rooms at the lakeside Alpine hotel in Austria.
The electronic key system at the picturesque Romantik Seehotel Jaegerwirt had been infiltrated, and the hotel was locked out of its own computer system, leaving guests stranded in the lobby, causing confusion and panic.
“Good morning?” the email began, according to the hotel’s managing director, Christoph Brandstaetter. It went on to demand a ransom of two Bitcoins, or about $1,800, and warned that the cost would double if the hotel did not comply with the demand by the end of the day, Jan. 22.
Mr. Brandstaetter said the email included details of a “Bitcoin wallet” — the account in which to deposit the money — and ended with the words, “Have a nice day!”
With the 111-year-old hotel brimming with eager skiers, hikers and vacationers, some having paid about $530 for a suite with a panoramic view and sauna, Mr. Brandstaetter said he decided to cave in.
Guests had already complained that their electronic room keys were not working, and receptionists’ efforts to create new ones had proved futile. Bashing down the doors was not an option.
The reservation system for the hotel in the village of Turracherhöhe, about 90 minutes by car from Salzburg, was paralyzed.
“We were at maximum capacity with 180 guests and decided that it was better to give in,” he said. “The hackers were very pushy.”
Security experts said the attack on the hotel appeared to be a novel example of an increasingly malicious and prevalent type of modern-day piracy.
The weapon? A type of software known as ransomware.
The crime is as simple as it is mendacious. Victims typically receive an email with a link or attachment that contains software that encrypts files on their computer and holds them hostage until they pay a ransom. Many of the hackers who carry out such attacks operate in Russia and Eastern Europe, according to the police, and often demand a ransom in Bitcoin, a digital currency that is hard to trace.
“Ransomware is becoming a pandemic,” said Tony Neate, a former British police officer who investigated cybercrime for 15 years. “With the internet, anything can be switched on and off, from computers to cameras to baby monitors.”
Still, he added, “hacking a hotel and locking people out of their rooms is a new line of attack.”
Mr. Neate, now chief executive of Get Safe Online, a government-backed security charity in Britain, said that demands in ransomware schemes were usually low enough that victims would acquiesce. As a result, however, hackers waged dozens of attacks a day to make them financially viable.
He nevertheless counseled victims not to pay, arguing that that would only further encourage more attacks and that the funds used to pay the ransom would bankroll nefarious activity, including possibly terrorism. Hotels, he warned, should also guard against copycat crimes by reinforcing their digital security.
According to the United States Justice Department, ransomware attacks quadrupled in 2016 to an average of 4,000 a day. The F.B.I. said the costs to victims of such attacks rose to $209 million in the first three months of 2016, compared with $24 million throughout 2015.
It is a sign of the crime’s sinister proliferation that it has also entered popular culture.
In an episode of the legal drama “The Good Wife,” a Russian hacker attacked a law firm in the middle of a prominent case, encrypting its files and demanding a $50,000 ransom. The hacker eventually relented after the firm turned the tables by infecting the extortionist’s computer with propaganda criticizing Russia’s president, Vladimir V. Putin.
In the real world, however, many have been forced to pay up.
Last year, hospitals in California and Kentucky were targeted in ransomware attacks. In one case, a Los Angeles hospital paid more than $17,000 to hackers to restore its computer network, and all of its digital medical files. Other victims in Europe and the United States have included a municipal utility, companies, schools, law firms and police departments.
A recent study by the Institute for Critical Infrastructure Technology, a Washington-based organization focusing on cybersecurity, noted that ransomware threatened to “wreak havoc on America’s critical infrastructure community” and called it the digital equivalent of a “centuries old criminal tactic.”
Mr. Brandstaetter said he had decided to go public with the attack at his hotel so that others would be more vigilant.
To guard against future attacks, however, he said the Romantik Seehotel Jaegerwirt was considering replacing its electronic keys with old-fashioned door locks and real keys of the type used when his great-grandfather founded the hotel.
“The securest way not to get hacked,” he said, “is to be offline and to use keys.”