Check in systems at hundreds of hotels crippled after ransomware attack on software firm Techotel

Thousands of hotel guests affected.

Updated June 13, 17:30. As per Techotel's own updates, restoration of system data and decryption of files on the company's 250 servers is ongoing, with systems still down, 5 days on.

Hotel management software provider Techotel has been hit by ransomware -- and is live blogging its response (including challenges getting Bitcoin) after the attack took down hotel IT systems in what CEO Klaus Ahrenkilde told The Stack was "several hundred" hotels across Europe. With thousands of guests affected, the privately held company has opted to pay the ransom and is hoping to get systems back online today.

The Denmark-headquartered company, founded in 1981, provides IT solutions for hotels, inns, conference centers, hotel chains and restaurants. Its main product Techotel Picasso, is the best selling hotel system in Denmark, Norway and Sweden and installed in over 800 locations.

Techotel was hit by ransomware June 9.

The company's IT team have taken the unusual approach of live-blogging its response, including its challenges withdrawing money (with bank AML concerns referenced) and transferring it to Bitcoin to pay "the bandits". The attack has crippled the ability of hotels using the software to handle basic check-in and check-outs for thousands of guests; leaving many in turmoil and putting huge pressure on the company as a result for a swift resolution.

Follow The Stack on LinkedIn

"Dear all, we Techotel group expect that tonight at DK/SE time 21.00 (20:00 Irish time) to be contacted by an Eagleshark [the company's cybersecurity specialist] negotiator informing us the amount, we are going to settle for recovering us from the attack," the company said on June 9. "But the bandits do not accept bank transfer so we need to change the amount to Bitcoin. This will take us 3-7 hours. The bandits will then send us a program to decrypt the files. To fix the situation it might take 5- 10 hours."

Techotel CEO: We depend on the goodwill of the bandits...

Speaking to The Stack on June 11, founder and CEO Klaus Ahrenkilde said he felt he had no choice but to pay: "We cannot break the encryption. We are a small company, with hundreds of hotels affected."

Declining to comment on the ransom sum demanded or other details, he said: "We are still not live. We depend on the goodwill of the bandits. They asked for a lot for a small company. But I have seen on CNN companies asked for $100 million. Our priority is getting the hotels up. We are working day and night."

IT experts speculated that any backup systems were most likely domain joined with no off-site capability and testing.  Having a separate AD forest (in an isolated firewall zone) that has only virtualisation hosts, backup servers and privileged access workstations is a starting point to avoiding this situation. The most common method for creating resilient data backups is to follow the ’3-2-1’ rule; at least three copies, on two devices, and one  offsite. Regular "cold" or offline backups are also wise.

(Readers, want to share bullshit-free tips for under-resourced IT teams on ensuring resilience to an attack like this? Get in touch).

Techotel's live blog: a snapshot.

11-06-2021 14:54The interesting question is when will your hotel system go live again. The Bandits actually help us to clean the system now. But we think the chances to go live tonight is smaller the to the chance to go live saturday. We will work the weekend until your system run again:-)
11-06-2021 14:46Update: It is very difficult: Team1 write scrips to find files to unencrypt. Team 2 working with unencrypt sql Hotel data. Team 3 unencrypt Mail servers, Team 4 send backup Nas to NO to be recovered date. IBAS are working in the weekend
11-06-2021 12:30A reminder. Mailadresses from and to domains techotel.se and techotel.dk are NOT in use. Please use other contactmethods. But please follow this page for further information.
11-06-2021 11:14NO: Dette påvirker ikke bruk av Picasso for våre kunder på norsk hosting, eller kunder med egne servere, men Picasso Online og Yield Planet er fremdeles nede. Dere kan legge inn eventuelle bookinger fra Channel Manager manuelt selv, husk da å legge til alt.res nummeret
11-06-2021 10:43This is technical info: The encryption of some of the files have been conducted over maybe 4 times. This is very complex to uncrypt. Team 1 are in contact with the bandits, to get the right codes. Team 2 are trying to involve other specialist.
11-06-2021 06:17Team 2 just finished the extra backup of all hotel reservations. They go to sleep now. Team 1 cannot be sure when, but we focus to get the hotels reservations decrypted. More to come.
11-06-2021 04:00We need to sleep now. We are not live, but will continue Friday at 10.30.
10-06-2021 22:51We have now got the decryption keys and are working on decrypting them in this moment. We are working in two teams. It is difficult to inform when we will be live. I dont think we will be live within the next 7 hours.
10-06-2021 19:52Just now we got the final code til clean til cryptatet files. We will continue the hole night
10-06-2021 18:28We got some tools to decrypt the hotel files with. We have meeting at 19.30 to come
10-06-2021 16:34We have got the bitcoins and are now transferring them to the bandits. We expect that the bandits soon will decrypt the files.
10-06-2021 15:46We have signed an agreement regarding the bitcoins for 30 minutes ago and we expect that the bitcoins will be transferred to the bandits very soon.
10-06-2021 14:12If everything goes as planned, we will have the bitcoins within an hour and be able to pay the bandits directly and further be able to start the system again.
10-06-2021 12:51We and Eagleshark continue the discussion with the bank and other consultants, of how to get the bitcoins and thereby to get our data released. More to come later.
10-06-2021 11:38We and Eagleshark will continue the meetings with the bank and we are now closer to find a final solution. However, is is not a financial issue, it concerns the complications regarding money laundering regulations.
10-06-2021 10:20We and Eagleshark are still working on getting the necessary Bitcoins, we have been in meetings with the bank to get the transfer done in 2 hours now......
10-06-2021 06:27Status this morning: We and Eagelshark.com were informed about the amount we have to pay, it is much more than we expected! We have pay in Bitcoins to get access to the data. It is large sum that we need to transfer. I will update when we know more and how long it will take to complete the transfer and restore Picasso today
09-06-2021 17:08You can read more about the Crypto attack on us and other companies tonight on TV. Read on regarding yours and ours current situation. We expect the hotels to open Thursday noon or evening!
09-06-2021 16:51Dear all, we Techotel group expect that tonight at DK/SE time 21.00(20:00 Irish time) to be contacted by an Eagleshark negotiator informing us the amount, we are going to settle for recovering us from the attack. But the bandits do not accept bank transfer so we need to change the amount to Bitcoin. This will take us 3-7 hours. The bandits will then send us a program to decrypt the files. To fix the situation it might take 5- 10 hours
09-06-2021 13:57I don't think we will be live in the next 2-4 hours. Please check your email at the hotel. Picasso is sending an arrival list to your email the evening before
09-06-2021 13:29The specialist from https://www.eagleshark.dk/, we are using, is the best at this work. The attacker has not responded. Technical staff for us are cleaning server from virus
09-06-2021 11:35Technicans are still working. And note; Your GDPR has not been hacked, GDPR has not been compromised.
09-06-2021 09:51Hi Nothing New just now. The specialist are now isolating the servers, that are not attacked from the serves that are under attack. I cannot say if we are live today, yet. People producing virus should be in jail!!
09-06-2021 07:56NB: Techotels mail also are attacked and cannot be used. Please follow the update at the homepage
09-06-2021 07:50We are hit by ransomware. You have to be prepared to not have access to your date the next hours. Before we get opened access to files again. NB this is not an Techotel error.
09-06-2021 06:59In your main mail setup in Picasso if so, you should have an arrival for today, maybe before downtime/attack. Check the booking mail. Else check your digital report. I will write back at 08.00.
09-06-2021 06:52We have been atacked by virus. Nothing is wrong with our cloud. We will work together with antivirus specialist to solve this.
09-06-2021 06:01Sorry for delay and disturbance. Our Domain Controller the effect several functions. We will inform you futher, we will try to update info approx. 06.40
09-06-2021 03:53We have problems with Danish, Swedish and Irish Picasso . Our technical staff is looking at the issue. We will update information later.

The NCSC's guidance on preparing for a ransomware attack is here. The need to carefully plan, implement, and regularly test a data backup and restoration strategy has never been more important. Business leaders at smaller companies that are unsure who is responsible every component of this plan and how well stress-tested it is? It’s probably time that you asked. And if you have storage admins, check in with them or your broader IT team that they have what they need to help you recover, fast.

See also: 6 free cybersecurity tools you should know