Inside a Ransomware Hit at Nordic Choice Hotels

Hotel staff recorded check-in details with pens and paper, and escorted guests to their rooms because digital keycards didn’t work, Ms. Fiskvik said. Just as hackers struck, hotel business was booming again after long pandemic-related lockdowns.

“We were a good target because we were tired already,” she said.

More than five weeks after hackers hit, glitches continue in machines that provide heating, music and other services, she said.

Nordic Choice, an independent franchisor of Rockville, Md.-based Choice Hotels International Inc., operates hotels in Norway, Sweden, Denmark, Finland and Lithuania. A spokesperson for Choice Hotels International said there is no indication the attack affected its technology systems.

An investigation found that hackers had infiltrated Nordic Choice’s systems 36 to 48 hours before launching the attack through a phishing email that appeared to be sent by a tour operator in frequent contact with the company, Ms. Fiskvik said.

A hotel employee thought the message was legitimate and clicked on a malicious link, she said. Hackers then took out most of the hotelier’s antivirus systems and copied data from local Windows files, she added.

Once inside the hotel’s network, the hackers deployed ransomware known as Conti—the same strain that has crippled a number of corporate victims in recent months, plus Ireland’s public healthcare system in 2020.

The Retail and Hospitality Information Sharing and Analysis Center, a nonprofit group that facilitates the exchange of information about cyber threats, had warned members in October about increased ransomware attacks. Retailers and hoteliers should take security precautions such as using multifactor authentication for web-based mail applications and other critical systems, RH-ISAC urged.

Hackers left a message on Nordic Choice computers about how to contact them to decrypt locked data, but didn’t name a ransom amount. The company didn’t plan to talk to the attackers or pay a ransom, Ms. Fiskvik said. Last week, however, she discovered that someone had replied to the hackers in late December, when tech systems were restored, despite warnings from her team not to, prompting the hackers to demand $5 million. Still the company didn’t pay.

Ms. Fiskvik doesn’t know who made contact but it could have been anyone with access to the ransom note, which was available on all hotel computers, she said, adding that she reported the communication to police.

The morning after the attack, Nordic Choice operations and tech teams set up a crisis team and decided to fast-track an existing plan to switch from Microsoft Corp.’s Windows system to Alphabet Inc.’s Google Chrome products. Before the attack, Ms. Fiskvik’s team had planned to convert thousands of hotel computers and service machines from Windows to Chrome as part of a sustainability initiative. She moved up the migration as a way to help recover operations. Technicians didn’t need to visit hotels to collect and clean computers, she said.

The team converted the first computer within 24 hours of the attack, and restored operations at the first hotel within 48 hours, running bookings and check-ins on Chrome. The group migrated around 2,000 computers in 212 hotels within two days, saving weeks of work, she said.

Replacing or changing technology after a cyberattack can be tricky and may introduce new security problems, said Bryon Hundley, vice president of intelligence operations at RH-ISAC.

The victim company is already in a vulnerable position, Mr. Hundley said, and experts need to test several security aspects, such as multifactor authentication and identity management on the new products. “There are so many complexities to rolling out these technologies, assuring they work and still maintaining a good customer experience,” he said.

As Nordic Choice worked to recover tech systems, hackers posted personal data about employees on the dark web, including details about their bank accounts and government-issued identification numbers. At the time, they claimed the published data was 10% of what they stole.

A few days later, they posted more information, saying it was 20% of the total.

The company held virtual meetings to inform employees about the dark-web posts and has been instructing managers about how to help affected individuals protect themselves from identity theft. “It was definitely very hard on our employees to know that data about them was out on the web, public to anyone with a link,” Ms. Fiskvik said.

Hackers didn’t access systems with customer information, she said.

Nordic Choice informed Norway’s data protection regulator of the data leaks and continues to monitor the dark web, she said. Companies are required to quickly notify regulators about a breach of personal data under Europe’s General Data Protection Regulation privacy law.

Ms. Fiskvik’s team is developing a short cybersecurity training program to teach employees about hacking threats in a way that is easy to digest, such as weekly lessons on how to recognize malicious links or understand other threats. “Most people just can’t keep up. It’s just not what they know. We’re hoteliers, we’re not tech experts,” she said.

Write to Catherine Stupp at Catherine.Stupp@wsj.com