Atrium Hospitality Ransomware Attack And Data Breach – Case Study

Background

Ransomware attack on Hotel guests in Atrium Hospitality

Defining the Problem

The Atrium Hospitality having its headquarter in Alpharetta, Georgia is a famous hotel and is an asset management company. The Atrium Hospitality has faced ramsomware attack in March 16, 2018. Atrium Hospitality announced that they had faced a data breach with information of 376 hotel guests in danger (Pollak, 2018). The information of the customers impacted because of the data breach. The hotel and the hotel guests were unaware of the actual misuse of data and took preventive measures to protect the data from further misuse. In the month of December 2017, the Hospitality discovered that of the workstations at Holiday Inn was affected by the ransomware attack. When Atrium Hospitality came to know about the attack which took place, the Hospitality immediately decided to change the workstation from the previous network and immediately started investigation with the forensic investigation firm. On 14^th February, 2018, the Hospitality stated that three hundred and seventy six data including the name, license number, passport number as well as debit and credit card details of the customers was assessable to the hackers. As soon as Atrium got to know about the fact, 182 guests were notified about the data breach through mails and address of others were not available. The hospitality also revealed the case to state regulators as per requirement. Atrium was not aware of the fact whether the data taken were misused and also cannot ensure whether the data was actually accessed by the hackers or not (Kica, 2016). So, the Atrium Hospitality informed all its guests to check their financial statements, monitors if credited is done and then reports any suspicious activities if the customers records. After reporting, the Atrium Hospitality will take necessary steps that are required to prevent that particular transaction or prevent some other unauthenticated transactions in future.

On 8^th December, 2017, Atrium Hospitality discovered the fact that the workstation of Sacramento Holiday Inn was infected by the malware. The officials of the Atrium Hospitality expected a data breach in one of the workstation of Atrium Hospitality and detached its network from other sources (Kharraz et al., 2015). The Atrium Hospitality was not aware of the data breach that took place in one of their holiday inn. They were also not aware about if the hackers took the information of the customers and misused them. The officials were not aware of what had actually taken the. The data breach took place because the security system was not updated that would protect the workstation from data breach (“Atrium Hospitality Notifies Hotel Guests of Compromise”, 2018). The data breach occurred by hacking the name, passport number, debit and credit card details of the guests and license number of 376 guests. From all the guests affected, 182 guests were informed by mailing them and other guests were not informed as their address were not available with the officials. The systems that the Holiday Inn of Atrium Hospitality were using were not updated and so that lead to data breach in the workstation. The guests who were impacted because of data breach, were requested to keep a look on their financial statements, monitor their credit reports and if they would detect any suspicious activity, they were informed to report immediately to the officials of protective team (“16-31 March 2018 Cyber Attacks Timeline”, 2018). The cyber-attack that took place contained malicious programs which directly affected the programs ran in the workstation of Sacramento Holiday Inn. The Atrium Hospitality were not having proper preventive measures to protect the details of their guests. This made the attackers easy to access the information of 376 guests getting their names, bank account details and other important credentials.

Data Breach and Impact

There are many ways to prevent an organization from cyber-attack. To prevent the network of the workstation from cyber-attack, the Atrium Hospitality was expected to have all the preventive measures (Case, 2016). If it was not possible for Atrium Hospitality to appoint and expert from outside to maintain all the network of the system, and also to make recommendations for security, them the Hospitality would have implemented many economical steps that would have reduced the risk of cyber-attack in the workstation. The list of doable that would have prevented the risk of cyber-attack in the workstation are listed below:

1. Train all the employees of the workstation so that they can get all idea about the principles of cyber security.
2. All the computer that the Atrium Hospitality had would be always updated and the all the system was expected to have antivirus installed in the systems.
3. The workstation should have used a firewall for using the Internet connection as it would stop all malicious virus from entering into the system (Nizam et al., 2016).
4. All the personal data and the information of the guests should have been stored and kept as backup for business information.
5. Accessing the personal computers and access the components of the network should have physical control.
6. All the Wi-Fi networks needed to have a security and the Wi-Fi should be hidden for security purpose.
7. All the employees in Atrium Hospitality was expected to have a personal user account which would lessen the risk of cyber-attack in the workstation (Guo et al., 2017).
8. The employees would have been limited to access the data and the information on the network and they should also have limit on the installation of the software on the network of the workstation.
9. They should regularly change the passwords of their personal accounts.

Defining the cyber-attacks

WannaCry attack is a ransomware attack that was held in May 2017. This cyber-attack was held worldwide by a malicious virus known as WannaCry ransomware cryptoworm. This ransomware virus mainly attacks the Microsoft Windows Operating system by data encryption and then demands for some ransom payments usually in Bitcoin crypto currency (Nissim et al., 2018). The cryptoworm propagates through EternalBlue and then exploits the Windows system. Previously also Microsoft released patches for closing the exploit. The WannaCry had spread from those organizations only who had not applied the patches for closing the exploit. Organizations who were using the older version of Microsoft faced the WannaCry attack. Also, backdoors were installed in the infected systems by the WannaCry attack. This is a classic example of ransomware attack in which the victims are locked out and cannot access their data and to make the data accessible, the hackers need payment that are demanded in bitcoins.

The Petya attack is a cyber-attack that intends on disruption and destruction other than the monetary gain. Petya is basically a wiper malware which destroys the system and the data. Petya is not a good way to make profit out of the attack. It only aims to attack the victim and destroys the information of the victims in the system (Dwyer, 2018). The Petya attack is a ransomware distinguished attack and the attack is used for true intentions. The Petya attack took place in the month of June, 2017 just after one month from the WannaCry attack. The Petya attack stoke the infrastructure of Ukraine. Around 60% of the systems in Ukraine were infected by the Petya attack

The scope of WannaCry in the European countries estimated as 200,000 infected computers. There may be more number of computers who are affected by the WannaCry attack including private as well as public organizations.

Steps Taken by Atrium Hospitality

The scope of Petya attack spread in Kiev, which is the capital of Ukraine. In that city all the ATMs stopped working and 80 miles around Kiev, the workers mainly forced to monitor manually the radiation of a nuclear plant when the system failed (Mohurle & Patil, 2017). The Petya ransomware attack also attacked the Australian chocolate factory. From there the attack also spread in other businesses and in the government agencies of Ukraine and organizations in some other countries a swell.

The WannaCry, also known as WannaCrypt affects the vulnerabilities in the computers which have Microsoft Windows and the attack is believed to use a technology that is developed by the NSA (National Security Agency). And the technology was leaked by the hacker in the month of April.

The vulnerabilities of the Windows Microsoft was safeguarded by updated Microsoft Windows version that was released in March (Perlroth, Scott & Frenkel, 2017). There are many organizations that rely on the dated software of computer are least vulnerable to the Petya ransomware attack than the computers which are not up to date. All the software needed to be updated for preventing the Petya attack.

The Petya ransomware attack spread like virus or worm from one machine to another. This happens by luring the user to click on a link or to some attachment (Reiber 2018). Once the virus gets the access of the computer, then it gets all the files encrypted, locks the computer of the user, wants some ransom from the user and finally spreads to other computers connected to that same network. This mainly happens in organizations that has wide computer networks.

The phishing attack generally spreads through attack done by email phishing. When a system of user gets infected, the Petya ransomware attack encrypts all the data files on system and presents the users a message about the encryption that has been done. Then the attacker demands for ransom amount of money, particularly in Bitcoin if the users wants to restore the files and access them (Fayi, 2018). The attackers also instructs the users about how to pay money for the attack. When the user pays the ransom amount, then the attacker ends a decryption key to the victim for restoring their files and accessing them accordingly.

There are many ways to prevent a particular system or a computer network from WannaCry attack or Petya attack. Some organization might hire some expertise to protect their systems from such attackers. Others may follow some preventive measure internally so that they may protect the computer networks (Guo et al., 2017). The ways to protect the computer networks from ransomware attacks are stated below:

• All the systems that are connected to a network and the system connected to the internet. There are patches that protects the system from the ransomware attack.
• The users should avoid as well as restrict the access of PsExec. Restricting the use of admin tools such as PowerShell generally reduces the chances of ransomware attack.
• There should be proper arranged backups for all the files that are in the computer network or in the system (Raiyn, 2014). When the ransomware attacks demands for money, the user may not pay for the ransom if they have a backup of all the files and information in other systems.
• Monitor continuously for any suspicious activities in the network of the organization. The cyber protection team should always monitor the system for any suspicious activities.

References

Atrium Hospitality Notifies Hotel Guests of Compromise. (2018). Retrieved from https://www.prnewswire.com/news-releases/atrium-hospitality-notifies-hotel-guests-of-compromise-300615517.html

Case, D. U. (2016). Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC).

Dwyer, A. (2018). The NHS cyber-attack: A look at the complex environmental conditions of WannaCry. RAD Magazine, 44, 25-26.

Fayi, S. Y. A. (2018). What Petya/NotPetya Ransomware Is and What Its Remidiations Are. In Information Technology-New Generations (pp. 93-100). Springer, Cham.

Guo, Z., Shi, D., Johansson, K. H., & Shi, L. (2017). Optimal linear cyber-attack on remote state estimation. IEEE Transactions on Control of Network Systems, 4(1), 4-13.

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015, July). Cutting the gordian knot: A look under the hood of ransomware attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 3-24). Springer, Cham.

Kica, G. (2016). Adaptive Reuse of Tid Tower Into a Five Star Business Hotel (Doctoral dissertation).

Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5).

Nissim, N., Mahler, T., Shalom, E., Goldenberg, I., Hasman, G., Makori, A., … & Shahar, Y. (2018). Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices. arXiv preprint arXiv:1801.05583.

Nizam, F., Chaki, S., Al Mamun, S., & Kaiser, M. S. (2016, January). Attack detection and prevention in the Cyber Physical System. In Computer Communication and Informatics (ICCCI), 2016 International Conference on (pp. 1-6). IEEE.

Perlroth, N., Scott, M., & Frenkel, S. (2017). Cyberattack Hits Ukraine Then Spreads Internationally. The New York Times.

Pollak, O. B. (2018). Welcome to Omaha. Arcadia Publishing.

Raiyn, J. (2014). A survey of cyber attack detection strategies. International Journal of Security and Its Applications, 8(1), 247-256.

Reiber, J. (2018). The Fastest Way Across the Seas: Cyberspace Operations and Cybersecurity in the Indo-Pacific. In Eurasia’s Maritime Rise and Global Security (pp. 83-94). Palgrave Macmillan, Cham.