Monday, 3 April 2023

Croatian Tourist Agency Attacked by Hackers, Pay 500,000 USD Or Else...

April the 3rd, 2023 - One large Croatian tourist agency has unfortunately been the target of malicious malware, and the concerning thing is that there was very little help at hand through the police, the state institutions or even by insurance companies.

As Poslovni Dnevnik/Marija Crnjak writes, Adriagate, a well known Croatian tourist agency, almost had 22 years of hard work disappear in just a few hours. This Split-based Croatian tourist agency, which deals with renting out private properties, had a close call with a cyber attack. On the night of January the 17th to the 18th this year, they suffered a hacker attack with an extortion of 500,000 dollars, in which 90 percent of their data from about 30 servers in Split and Zagreb was encrypted in a mere two hours, and about 50 applications crashed, as did their website, and their accounting data just disappeared. It is still not known who the perpetrator was.

The founders of the Adriagate agency, Igor Popovic and Toni Blaskovic, told this bizarre, almost cinematic story about how they managed to stop the attack and get their data back, and how much support they had from the appropriate institutions and infrastructure here in Croatia. They recalled their experience during the Days of the Association of Croatian Travel Agencies (UHPA), held in Brela. Their testimony is valuable to the extent that at least fifteen members of the Association from this meeting recalled having suffered a similar attack, but chose to pay the demanded ransom and continue to work with the risk of a new attack - because, as is known, hackers come back. Here are more of the details.

"We have a monitoring system for our applications that notifies us when something isn't working properly. When I woke up, I saw that I'd received a message on my phone that our website had crashed and was unavailable. Well, that's nothing strange, so I went to make some coffee, and when I connected to the server with that coffee, I was greeted by a message from AvosLocker entitled "Get your files back". I quickly extinguished everything and for five hours everything remained off, but for three days we didn't know the extent of the damage done to us, because we didn't know if it would continue to work if the process was not completed. We reported the case to the police, we contacted data recovery companies from Croatia and Germany, we tried everything, but with this variant of this virus there is no solution except possibly just paying a ransom, but without any kind of guarantee," explained Blaskovic.

AvosLocker is a relatively new ransomware virus that has been active since 2021, and works by encrypting data with a ransom offer. This Croatian tourist agency first received a payment request in the amount of 500 thousand dollars, which was reduced to 250 thousand dollars after further communication with the hackers. In the end, Adriagate did not pay, because the general recommendation is not to pay in such situations.

"We started communicating with the hackers, but we didn't pay, but we managed to get the data back with our own resources. A criminal report has been filed, but only in 0.05 percent of cases are the perpetrators are found, and even then, they are very well protected. The last case from Germany shows this level, it was an attack in which the perpetrators were discovered but they were not even arrested, they were only detected and identified by Interpol. You're never sure that they aren't already there somewhere in the system and that they won't do it again. Now that we've been setting everything back up again, we set up the entire infrastructure in a totally different way, we put together a totally new system from the beginning on new servers with completely different protection,'' added Blaskovic.

"There's always a risk that you pay a large amount without having any guarantee that the data will be returned to you, and we were afraid about how we'd manage to pay such a large amount through the company, how the tax administration would look at it, they would also accuse us of embezzlement from our own company,'' said Popovic. It should also be noted that this type of attack requires payment in crypto-currencies that must be purchased beforehand, there are no legal channels to do this and the hackers are completely protected.

Since the accounting data is also encrypted in these cases, the attacked company will also be late with reporting their obligations to the relevant state institutions. In addition to that, it seemed to Adriagate that the Croatian police don't really have a lot of resources or experience in dealing with this type of crime, which has become more and more common with ongoing digitalisation. Adriagate pointed out that even Croatian insurers don't have policies for protection on offer for such cases, unlike in some other countries where this is understood as a relatively common issue.

For more, check out our dedicated news section.

Search