Skip to main content

Case study: Ransomware attack against Nordic Choice Hotels

It all started with an email from a seemingly well-known partner. Read this case study to find out what happened to the hotel chain, how they handled it, and how you can protect yourself against similar threats.


What would you do if you suddenly got locked outside of your system? What if the elevators and keycards to rooms in your organisation stopped working? This, and more, happened when the hotel chain Nordic Choice Hotels was hit by a severe ransomware attack in December 2021. This story is a good example of how such an attack typically happens, and what can be done about it. Thanks to the transparency of Nordic Choice Hotels, who shared what happened to them and how they solved it, other organisations can learn from it and protect themselves.


Learn more about the most commonly used cyber attacks


Ransomware attacks often start with an email

An employee at Nordic Choice Hotels received a seemingly normal email from a well-known partner. It didn’t have any spelling mistakes or other suspicious signs that one might assume that phishing emails usually have. The email asked the recipient to download an attachment, containing an Excel file inside of a .zip file. It turned out that the sender had been infected and didn’t actually send the email – cyber criminals did. The attachment was in fact not an Excel sheet, but ransomware. Once the attachment was opened, their system got infected and the ransomware disabled the antivirus software of the hotel chain. This allowed the ransomware to further infect their system.

After gaining access, the cyber criminals collected sensitive information about the employees and encrypted files on the hotel computers. This is known as ransom, hence ransomware. The encryption ensures that all files can no longer be accessed by the company. Another result of the attack was that physical systems, such as elevators and keycards, didn’t work anymore. These are all very essential systems for a hotel chain. 

The goal of the criminals was to extort the company into paying them to restore their systems to normal working order. They asked for 44 million NOK, or around 5 million USD. The cyber criminals left a digital note, explaining what had happened and demanding the money, in addition to a way of verifying themselves as the attackers.

The aftermath of the attack

After the attack, the staff of the hotels had to resort to manual approaches to check-in guests and to access the rooms, as the keycards didn’t work anymore. The security team also set up a crisis response team, who had to come up with a solution to get the systems back online again. Previously, the company had decided on a migration from the Windows system to Google Chrome OS for their internal operations. They decided to fast-track this migration as a way of restoring their systems instead. Within the first 24 hours of the attack, they managed to make the first migration on one of the computers. This allowed the first hotel to manage bookings and check-ins again. 

With the help of their teams, in only 48 hours, Nordic Choice Hotels managed to migrate 2000 computers in 212 hotels across five different countries. However, while they were busy working on regaining access to their systems, the cyber criminals started posting sensitive information about their employees on the dark web. They did this as an attempt to coerce the company to pay the ransom, posting information in increments of 10% of the total stolen information. 

The policy of Nordic Choice Hotels was to avoid communicating with the criminals altogether, and not transferring any money. By switching to Chrome OS, they were able to get most of their systems up and running again, and ultimately save their business.

What can you do to protect yourself?

This story shows how disturbingly easy it is to become a victim of ransomware attacks. It also shows that it’s possible to combat ransomware. It’s important to note that you shouldn’t communicate with the criminals, but contact your security team instead. Most importantly, you should never pay the ransom. 

This story also highlights the importance of good cyber hygiene. There should be a set of practices in place to ensure that employees know how to deal with safety and security within their company. While the story of a partner and an Excel sheet sounds convincing, an Excel file should not be inside a .zip file. Awareness of these types of attachments can help prevent attacks from happening. Having a good backup of your system and getting them up and running quickly, in case of an attack, is one of the best defences against ransomware attacks.

Because Nordic Choice Hotels handled the situation with transparency and showcased how the attack was handled internally, other organisations got the opportunity to learn from it too, and protect themselves. By contributing to an open conversation about cyber crime, you contribute to raising awareness and ultimately creating a safer digital environment for everyone.

Most popular