The Play ransomware gang has claimed responsibility for a cyberattack on the H-Hotels chain which has left staff without access to email. The company’s name appeared on Play’s dark web victim blog, with the group stating it has a trove of data, including guest passport details.
H-Hotels operates across Germany, Austria and Switzerland, with 60 sites in 50 different locations. The company employs 2,500 people and operates six sub-brands: Hyperion, H4 Hotels, H + Hotels, H + Hostels and H.omes.
Was data stolen in the H-Hotels cyberattack?
The chain suffered a cyberattack on December 11 that affected all its hotels. It has left hotel staff unable to receive or answer customer requests via email and so must continue to conduct business over the phone.
H-Hotels has confirmed an attack took place, but insists there is no evidence of any data leaving its systems. “As of today, the commissioned IT forensic scientists have no evidence that relevant or personal data could be stolen in the cyberattack,” the company said, adding that it would swiftly inform victims if any evidence of data being stolen was discovered.
However, the post on Play’s victim blog alleges the gang has obtained information on the company. This is “private and personal data, clients documents, passports, ID,” it states.
Neither H-Hotels statement nor the Play victim blog mentions whether a ransom demand has been issued or paid.
The rise of the Play ransomware gang
Play is a fairly new ransomware gang that has made a number of high-profile attacks in 2022. The gang was attributed its name as it adds the extension “.play” after encrypting victims’ data. Its ransom note often contains the single word “PLAY”.
The gang appears to be employing the same tactics as other ransomware-as-a-service groups Hive and Nokoyawa, following the standard cybercrime gang protocol of continuous swapping of labour and information between gangs. This has manifested itself in the use of similar tactics and tools.
Recently the gang has attacked government services in the city of Antwerp. The Flemish government under which it resides confirmed it was a victim of a cyber attack on December 14. According to a blog by security company Malwarebytes, the attack has caused hundreds of city employees to revert to working on paper, affecting employee payroll, recycling centres, student resources and public libraries.
Play ransomware was first detected in July of this year targeting government entities in Latin America, according to a report by security company Trend Micro. Both Chile and the Dominican Republic have seen government agencies targeted by the gang and one of its subsidiaries, Quantum, in recent months.