View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 21, 2022

Play ransomware gang claims H-Hotels cyberattack

Staff have been left unable to access or send emails after the chain was hit by an apparent ransomware attack.

By Claudia Glover

The Play ransomware gang has claimed responsibility for a cyberattack on the H-Hotels chain which has left staff without access to email. The company’s name appeared on Play’s dark web victim blog, with the group stating it has a trove of data, including guest passport details.

Play ransomware gang claims responsibility for attack on German hotel chain H-Hotels (Picture courtesy of stockfour/Shutterstock)

H-Hotels operates across Germany, Austria and Switzerland, with 60 sites in 50 different locations. The company employs 2,500 people and operates six sub-brands: Hyperion, H4 Hotels, H + Hotels, H + Hostels and H.omes. 

Was data stolen in the H-Hotels cyberattack?

The chain suffered a cyberattack on December 11 that affected all its hotels. It has left hotel staff unable to receive or answer customer requests via email and so must continue to conduct business over the phone.

H-Hotels has confirmed an attack took place, but insists there is no evidence of any data leaving its systems. “As of today, the commissioned IT forensic scientists have no evidence that relevant or personal data could be stolen in the cyberattack,” the company said, adding that it would swiftly inform victims if any evidence of data being stolen was discovered.

However, the post on Play’s victim blog alleges the gang has obtained information on the company. This is “private and personal data, clients documents, passports, ID,” it states.

Neither H-Hotels statement nor the Play victim blog mentions whether a ransom demand has been issued or paid.

The rise of the Play ransomware gang

Play is a fairly new ransomware gang that has made a number of high-profile attacks in 2022. The gang was attributed its name as it adds the extension “.play” after encrypting victims’ data. Its ransom note often contains the single word “PLAY”. 

The gang appears to be employing the same tactics as other ransomware-as-a-service groups Hive and Nokoyawa, following the standard cybercrime gang protocol of continuous swapping of labour and information between gangs. This has manifested itself in the use of similar tactics and tools.

Content from our partners
How designers are leveraging tech to apply the brakes to fast fashion
Why the tech sector must embrace faster, smarter talent recruitment
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate

Recently the gang has attacked government services in the city of Antwerp. The Flemish government under which it resides confirmed it was a victim of a cyber attack on December 14. According to a blog by security company Malwarebytes, the attack has caused hundreds of city employees to revert to working on paper, affecting employee payroll, recycling centres, student resources and public libraries. 

Play ransomware was first detected in July of this year targeting government entities in Latin America, according to a report by security company Trend Micro. Both Chile and the Dominican Republic have seen government agencies targeted by the gang and one of its subsidiaries, Quantum, in recent months.

Read more: UK lawyers warned to stop helping clients make ransomware payments

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU