Hotel Chain Switches To Chrome OS To Recover From Ransomware Attack

A Scandinavian hotel chain that fell victim to a ransomware attack last month said it took a novel approach to recover from the incident by switching all affected systems to Chrome OS. The Record reports: Nordic Choice Hotels, which operates 200 hotels across Northern Europe, fell victim to a ransomware attack on December 2, when hackers encrypted some of its internal systems using the Conti ransomware strain. The attack prevented staff from accessing guest reservation data and from issuing key cards to newly arriving guests, as one of the hotel's guests told The Record in an interview last month. But in a press release today, Nordic Choice said that instead of contacting the hackers and negotiating a ransom for the decryption key that would have unlocked the infected devices, the hotel chose to migrate its entire PC fleet from Windows to Chrome OS.

"[I]n less than 24 hours, the first hotel was operating in the Chrome OS ecosystem from Google. And in the following two days, 2000 computers were converted all over the company consisting of 212 hotels in five different countries," the hotel chain explained. Kari Anna Fiskvik, VP Technology at Nordic Choice Hotels, said the hotel had already run a pilot program to test the tool before the attack as a way to save money by reusing old computers with a less-demanding OS. "So when we suddenly had to deal with the cyberattack, the decision to go all in and fasttrack the project was made in seconds," Fiskvik said. Nordic Choice said it plans to migrate another 2,000 computers to Chrome OS, on top of the 2,000 it migrated during the attack. The hotel chain said they expect to save $6.7 million by converting old computers to Chrome OS instead of buying new hardware.

Hey if it works

[Baconsmoke]

then power to them. Hopefully they can do everything they need in ChromeOS. If so, then this is a fairly sane direction to go.

Re:

[DontBeAMoran]

It would have been more sane to switch before the attack, since it saved them from buying new hardware, was getting them away from Windows and saved money in the process.

I wish more companies would stop using the old "gotta spend money to make money" motto, it's not true in all cases. This case is a good example that "saving money can also make money", even if it should be completely obvious even to a kid in pre-school.

Re:

[saloomy]

Honestly a lot of businesses should consider this. If you can not run all of your software in ChromeOS to do all of your data entry, document management, and ERP tasks in a browser, migrate that system away from whatever legacy solution you have today. Windows is just not worth it anymore for business tasks.

Re:

[jenningsthecat]

Windows is just not worth it anymore for business tasks.

Windows is just not worth it anymore, full stop.

FTFY

Re:

[mwvdlee]

If I read the article correctly, they're just running ChromeOS on the same old hardware.
Making the relatively save assumption that all their software runs on the web, the switch should be relatively easy.

Re:

[OngelooflijkHaribo]

This seems like a rather and incompetent reason to switch to me.
If they had done the maths prior, and concluded that switching was better I would be more receptive, but this seems more an emotional reaction than anything, and perhaps they will simply be hit by a randsomeware attack again, which is typically by cause of social engineering of an administrator.

Re:

[splutty]

You read neither the summary, nor the article. They explicitly stated they had already run pilots for it. That doesn't make it an 'emotional reaction'.

Re:

[hey!]

While incompetence will pretty much by definition increase your chance of failure, competence isn't a perfect guarantee of success. I think it's unlikely that *anyone* does absolutely *everything* right, but even if you could that doesn't mean you can't fall victim to something like an undisclosed vulnerability.

You have to assume that you're both fallible and potentially unlucky, which means if you're *really* competent you should have contingency plans for dealing with failure. Resilience should be an im

Re:

[LostMyBeaver]

Unless Google is working behind the scenes here, it seems to me that the same process failures they experienced on Windows will occur here.

So far as I know, there is no supported method of bare metal installation of Chrome OS with Play store on existing PCs. While there are many solutions for this, there is no official support which means they will depend on something like a jailbroken device. This means upgrades and security and updating Play store (pretty important stuff) can actually brick devices.

I woul

Re:

[mwvdlee]

I thought this as well, but apparently Google has silently acquired Neverware at the end of 2020, whose core product CloudReady makes it possible to run ChromeOS on old PC's.
So yeah; Google IS officially supporting ChromeOS on existing PC's now.
Nordic Choice's move to ChromeOS seems perfectly sane now.

Re:

[gweihir]

You read neither the summary, nor the article. They explicitly stated they had already run pilots for it. That doesn't make it an 'emotional reaction'.

The MS whores will use any invalid reason to stay on their preferred dirty drug. Fear of change and plain stupidity. Also look at anti-vaxxers, flat-earthers, climate-change deniers, etc. for "arguments" of the same quality.

This clearly was a well-prepared and expertly executed DR plan. 3 days to back in business? That is about as good as it gets.

Re:

[AhegaoAfficionado]

MS whores prefer that daddy bill gates and his spyware software do all the thinking for them. Oh and their gahmes run.

Re:

[OngelooflijkHaribo]

I read it, and I read about the pilots. You will also note the part after it where it says the decision was made largely in response to the attack, not the result of the pilots, and that the pilots were primarily about old computers.

Re:

[crunchygranola]

That is because you read it through the lens of a Slashdotter who imagines themselves a Tech God and who imagines he sees the ideal solution to everything and that everyone else is a moron. It is a trait that infects many here, you are not alone.

A rather different way of parsing this is that they were forward/out-of-the-box thinking enough to begin proof-testing a cheaper solution to their IT needs, and when the Micro$oft solution proved vulnerable to ransomware going ahead immediately with the replacement

Re:

[mcswell]

It also sounds like IT would have suggested to management that they make the switch sooner or later, this just pushed them to do it sooner. I suppose they might have rolled it out incrementally (maybe as computers became outdated wrt Windows), or done more testing, or whatever, had the attack not happened.

Re:

[OngelooflijkHaribo]

That is because you read it through the lens of a Slashdotter who imagines themselves a Tech God and who imagines he sees the ideal solution to everything and that everyone else is a moron. It is a trait that infects many here, you are not alone.

Or maybe you can rather than come with ridiculous ad hominems that you have no basis on even making, let alone being relevant to the point, and simply address the point rather than the man.

A rather different way of parsing this is that they were forward/out-of-the-box thinking enough to begin proof-testing a cheaper solution to their IT needs, and when the Micro$oft solution proved vulnerable to ransomware going ahead immediately with the replacement strategy they already knew would work and save money as way of cleaning any ransomware was an easy choice. Smart planning, and a smart decision. Temporizing and waiting days or weeks to make the switch would not have made it "smarter".

It's entirely possible, but very unlikely given the timescale of switching just after the attack, and furthermore the article and it's summary which you claim I did not read suggest otherwise, and that the randomswear attack was the primarily motivating factor, not he pilots or anything else. Making the decision after the

Re:

[kqs]

It's entirely possible, but very unlikely given the timescale of switching just after the attack, and furthermore the article and it's summary which you claim I did not read suggest otherwise, and that the randomswear attack was the primarily motivating factor, not he pilots or anything else. Making the decision after the attack came in “seconds” suggests an emotional response, not a calculated financial one.

I disagree. I've several times been involved in migrations from a "current" system to a "new shiny" system. When there is a major problem with the "current" system, you know that you have a lot of hours of work ahead. Should you spend those hours in fixing the old system, or in rushing to install the new system?

There is no right answer for all cases, but in this case it sounds like they decided to emergency-migrate to ChromeOS. The timing of the decision was caused by the ransomware, but the decision it

Re:

[RespekMyAthorati]

Making the decision after the attack came in seconds suggests an emotional response

Of course, nobody would have an emotional response
to having their entire multi-hotel business trashed by
ransomware.

In fact, they should probably say "Gee, maybe we should
pay the multi-million dollar ransom, then spend the
next six months deciding whether ChromeOS is safer than Windows".

Re:

[gweihir]

They likely are 100% web-based on the client side. Most corporate IT can do it and people with a clue push for it.

incompetence

[bloodhawk]

So your IT fucks up, lets migrate to something else because bad IT can't hurt us elsewhere right? Think they are in for a nasty shock, incompetence hurts regardless of platform.

Re:

[King_TJ]

Bad I.T. always causes problems... but it wasn't a "bad" decision to refuse to pay the ransomware fees. If they're this easily able to switch platforms, that tells me there must not have been a lot of data they were really concerned about hanging onto? I mean normally, THAT'S really why companies panic, run to the backups, and possibly even give in to pay the ransoms. The hassle of having to rebuild a bunch of Windows workstations again, if the main concern, means it's just as easy or easier to flip every

Re:

[bloodhawk]

Bad I.T. always causes problems... but it wasn't a "bad" decision to refuse to pay the ransomware fees. If they're this easily able to switch platforms, that tells me there must not have been a lot of data they were really concerned about hanging onto?

True, but it says nothing about fixing the problem, what it is is spin to try and deflect from their failure.

I mean normally, THAT'S really why companies panic, run to the backups, and possibly even give in to pay the ransoms. The hassle of having to rebuild a bunch of Windows workstations again, if the main concern, means it's just as easy or easier to flip everything to something like ChromeOS.

I am not suggesting switching to ChromeOS was bad idea, just pointing out this is purely marketing spin to hide IT failure. ChromeOS doesn't fix the problem of incompetence, perhaps IT have tried to pass this off as a panacea to the business to deflect from their failure.

Re:

[saloomy]

Ransomware is not always caused by poor IT incompetence. Just like we saw with Log4J, there are many vulnerable softwares out there, and not all of them can live behind a VPN (assuming your VPN server itself doesnt have any RCE vulnerabilities). Systems are vulnerable in scopes beyond that of the implementation. It seems like they were experimenting with ChromeOS prior, probably as a cost saving measure, and decided to go that direction to avoid a repeat.

Re:

[mwvdlee]

However, they DID easily recover from it.
They recovered from it by reinstalling an OS with a browser.
They could have just as easily recovered by reinstalling Windows.
The fact that they choose a different OS is irrelevant to the recovery itself.

Re:

[kqs]

I agree except that:

    * Reinstalling Windows is often slow and takes manual effort, especially on old machines. Once you reinstall, you are probably still vulnerable to the ransomware.
    * Reinstalling ChromeOS is quick and 99% painless. It is more resistant to ransomware than Windows (much smaller attack surface). Both the installation and operation is fast even on old machines.

So they could have recovered with Windows, but not "just as easily".

Re: incompetence

[ArmoredDragon]

They're probably looking at saving a lot of money in the long run. Chrome OS has a much smaller compute footprint, so cheaper hardware, uses less power, etc. Also much lower licensing costs.

Re:incompetence

[jenningsthecat]

ChromeOS doesn't fix the problem of incompetence, perhaps IT have tried to pass this off as a panacea to the business to deflect from their failure.

Or perhaps ChromeOS has a smaller attack surface and a much lighter footprint / less complexity on the client side, (making it less vulnerable), and the IT department was simply making a sound professional recommendation.

Also, we don't know what other past problems they might have had with Windows usability and vulnerabilities. There could have been a bunch of other factors that supported the new direction, with the ransomware attack being simply the final deciding factor.

Re:

[AmiMoJo]

We can infer some things. They must have been using web based or remote desktop based apps, since you can't run the Windows version of Microsoft Office on Chrome OS. So really what they needed were terminals. For some reason people seem to think that Windows is a good OS for that - right now I have an old Dell Thin Client that was being thrown out, it's got a Windows 10 Pro licence and Core i5 CPU with 8GB of RAM... To run a web browser.

Re:

[gweihir]

They had the plans for this ready and tested. They likely lost zero data. Modern (!) corporate IT is typically web-based anyways.

Re:

[kehren77]

Bad I.T. always causes problems... but it wasn't a "bad" decision to refuse to pay the ransomware fees. If they're this easily able to switch platforms, that tells me there must not have been a lot of data they were really concerned about hanging onto? I mean normally, THAT'S really why companies panic, run to the backups, and possibly even give in to pay the ransoms. The hassle of having to rebuild a bunch of Windows workstations again, if the main concern, means it's just as easy or easier to flip everything to something like ChromeOS.

Well usually in ransomeware attacks they hose your backups too. So make sure you have some sort of backups that aren't connected to your main systems.

Sounds like they are using their old hardware but just wiping and reinstalling ChromeOS on them. So they're still going through all the hassle of wiping and re-imaging everything. I'm guessing the old system was something they bought 10+ years ago, never paid maintenance licensing for, and all of their workstations were still Windows XP. They're installing Chr

Re:

[evanh]

The switch was going to happen anyway. It was obviously tested and ready to deploy. They just needed the go from management.

Re:

[DidgetMaster]

Are they sure the ransomware came from an OUTSIDE source? Let's see. The tech guys had already tested out a new solution and were ready to deploy. They were waiting for a possibly reluctant management team to give their permission to go ahead. Along comes this hack to push management over the edge...hmmm.

Re:

[evanh]

There's over 1 million ransomware attacks per day. Coincidences are going to happen.

Re:

[jellomizer]

The big issue is that it is too easy to turn everything on by default. You just take the Bosses nephew into the lab and say install these computers, they install the OS and select all the features to be on by default.

Having done OpenBSD implementation, where the install rarely ever turns on anything, where you have to purposely turn on features so you know exactly where your risk points are on the system.

Chome OS mostly setup for Mobile Systems, mostly has most of its outward facing stuff turned off, and y

Re:

[NateFromMich]

So your IT fucks up, lets migrate to something else because bad IT can't hurt us elsewhere right? Think they are in for a nasty shock, incompetence hurts regardless of platform.

You make it sound like good IT is just super easy. Look around and see how everyone is fucking up. It's in the news all the time.
What's your real problem with this solution?

Re: incompetence

[ArmoredDragon]

He's pissed off that they switched from Microsoft to Google. What what did you think it was?

Re: incompetence

[ArmoredDragon]

What else*

Re:

[gweihir]

There is no indication they were hit because of incompetence. In fact, quite the opposite. The fact of the matter is that you cannot reliably secure MS crap against ransomware. Not possible. You can only prepare to recover. There people sensibly decided to move to something better in case they got hit.

They recovered in 3 (!) days. That means they had the plans tested and ready to be implemented. _Nobody_ incompetent can recover from something like that in 3 days. They probably were mostly or completely web-

Re:

[crunchygranola]

Additionally, even though a ransomware attack got in it does not follow that this meant they risked losing much corporate data. If everything is based off of a central data center, which is more than likely, then a competent organization has regular disaster-recovery backups ready. And ransomware attacks are not necessarily (or even usually) Mr. Robot-like efficient. Even data live on the network may escape.

The assumption of many slashdotters here is (the usual one) that "they must be total idiots', but bas

Re:

[gweihir]

Indeed. Also, I have personally seen an analysis of ransomware getting into a pretty well run IT infrastructure. The MS crap just cannot be reliably secured with still acceptable effort against that. You can just reduce the risk and be prepared to recover. The people I talk about were productive again with 3 days as well, lost no data and likely had no data stolen. That is a good outcome and a sign of pretty high competence.

The typical Slashdot "expert" has no clue about actual risk-management and IT securi

Re:

[gravewax]

What a load of BS, millions of companies successfully secure MS crap every day. The reality is MS is no more insecure and in many cases far more secure than the alternatives. However like Linux it requires good maintenance and management to keep it secure and most IT departments fail in this area.

Re:

[gweihir]

What a load of BS, millions of companies successfully secure MS crap every day.

They don't. They just got lucky that no competent attacker tried that day. MS crap is insecure by design. A really competent IT department can make it "somewhat secure", but that is how far it goes. With Unix/Unix-like infrastructure a competent IT department can secure things reliably.

Sure, an _incompetent_ IT department will be a bit less insecure with MS crap, but they will be insecure.

Re:

[jabuzz]

Nobody can secure everything all of the time, whether it be Windows, MacOS, ordinary Linux or ChromeOS. Now clearly some things are easier to secure than others, so sure Linux is easier to secure than Windows, but if someone targets you probably all bets are off. It is simply not possible to 100% secure anything and anyone claiming it is shows themselves to be incompetent. Even not being connected to the internet is not going to help, just ask Iran about their centrifuges...

All that you can do is work hard

Re:

[ledow]

I'd question the competence of an IT person who thinks that a full Windows desktop is a necessary and proportionate and secure environment to run a single, very limited process that is far better done in either a) an enclosed web-based product or better b) a locked-down kiosk mode OS running that single process and nothing else.

a) is good for central management, but only if the device is locked down to ONLY allow access to that web portal and nothing else (hence killing concerns over XSS, injection, browser

ALWAYS better than microsoft.

[stooo]

Something else is ALWAYS better than microsoft.

Yikes, criminal-cloud complex emerging.

[phenome]

People prowling around? Stealing packages? Put cloud connected Ring cameras everywhere. Ransomware? Move to cloud. Response to all kinds of crime becoming cloud based, with crime increasing and power centralizing. Not blaming the cloud folks, just observing how destabilization ends up empowering them.

Re:

[kqs]

So: You have a hard problem you cannot solve by yourself, but which a cloud solution can fix? Move to a cloud based solution; done. People aren't moving to cloud because they want to empower cloud companies; they move because it usually works.

My experience is that 95% of tech people think that they can run servers better than cloud providers can. My experience is that 99% of the people who believe that are demonstrably wrong.

Cloud does not solve all problems, and cloud is not always the best solution.

Re: Yikes, criminal-cloud complex emerging.

[phenome]

The thing that concerns me is the security dimension. The fact is, 1990-2010 no one heard of the cloud, yet for the most part things worked fine. Yet now, to avoid theft, everything must be monitored through cloud based surveillance, to avoid hacking everything needs to managed and cloud based. Again not blaming the cloud people for it, but observing that it all represents a huge concentration of power driven by crime.

Finally

[test321]

2022 the year of linux on the desktop! gentoo won!

the keycard and other local systems run on that?

[Joe_Dragon]

the keycard and other local systems run on that?
Or do they still have local systems running windows and or Linux for stuff like that?

Re:

[93 Escort Wagon]

the keycard and other local systems run on that?

I'm sure that the IT leadership thought all that through. They've put the same amount of thought and competence into this that they'd previously put into managing their computer systems before the ransomware attack.

Re:

[gweihir]

the keycard and other local systems run on that?

I'm sure that the IT leadership thought all that through. They've put the same amount of thought and competence into this that they'd previously put into managing their computer systems before the ransomware attack.

You know, that actually is likely to be true. Just not in the way _you_ think. The problem is that with insecure MS crap, you _cannot_ reliably prevent ransomware-attacks. There are too many attack vectors and MS does not really care. You can only reduce the risk and prepare to recover. These people obviously and sensibly decided that if they happen to get hit they are moving to something that actually gives them a decent level of security. There is no way they decided to do this only after the attack, they

Re:

[gweihir]

Getting drivers made is not that expensive. Some manufacturers may even do it for free or already have them.

Re:

[Guspaz]

Many enterprise/commercial RFID readers support network connectivity, they don't need to be connected to the individual computers. The back-end system can handle that.

Re:

[aaarrrgggh]

Which gets to the interesting part, at least to me: What did they do with the back-end systems to accommodate the change?

Re:

[Guspaz]

If the back-end system was already web-based, they may not have had to do anything at all. They used CloudReady (which was bought out by Google a month ago), which is a mostly hands-free installation system where you prepare a custom USB stick image configured for your environment and write it to a USB stick, and then to convert a Windows machine to ChromeOS, you just boot off the USB stick, hit the confirmation button a few times, and then the machine is ready for enrollment, which AFAIK is just a matter o

Re:

[crunchygranola]

What doe German electropop [munichsyndrome.com] have to do with this?

So much for H\W based security

[Hari Pota]

On one hand maybe the multitude of Intel and AMD CPU security advancements arent that important -- yet.
On the other hand, maybe WIndows has continually strayed from an object oriented code base until "fixes" have interconnected and metastatized and the OS devolved into a "brick". The memory demands of XFCE or LXDE are dramatically less. MS could learn something there.

Re:

[Anne Thwacks]

MS could learn something there.

Learning is NOT the MS way.

Scandanavians are, uh, "thrifty"

[Hari Pota]

https://www.abc.net.au/news/20... [abc.net.au]

I hope they didnt "dreet en der buchswa" as we used to say.

Sensible

[gweihir]

In many corporate environments, computers are primary web-terminals anyways. There is no need to have an insecure general purpose machine with the 3rd rated crap from MS as the OS. Cheaper as well. For letters and the like LibreOffice works just as well (better in my experience) and if you send out PDFs, that means less risk to your customers and no problem reading it anywhere. Sticking with MS crap is just people that fear change.

Chrome - the new CICS?

[4wdloop]

This turn is very interesting. Web/Cloud computing is 21st century version of terminal-based IBM CICS...with Chrome Web Browser becoming the terminal running on Chrome OS Admittedly CICS was designed to be extremely multi-user efficient putting today's backend systems to shame, though this turn here is for security reasons.

I am guessing this worked due to data exports

[sonamchauhan]

I am guessing this has worked for them since they were already testing a pilot project with Chromebooks. They probably had data covering all these hotels exported daily.

So when their Windows-based data locked up, they went all in. Maybe not because they could, but because they had to. Their data exports may have been tailored for the Chromebook rollout. It may not have been possible to restore their Windows-based system in a reasonable time.

So: backup, backup, backup ... and have an entirely different IT sy

Hotels..notoriously cheap in IT

[drewsup]

Most are running older Windows embedded on small Citrix boxes, but I ran into a chain 10 years ago still running NT as a base OS, some the PCâ(TM)s still had floppy drives. They didnâ(TM)t care, most were dust choked and all they wanted was a base OS for their web based industry app.

The right thing to do.

[Qbertino]

Chrome OS is precisely the right amount of power and utility for a regular user these days. You have to deliberately do dangerous things requiring expert knowledge to compromise a Chrome OS setup. It's trivial to use and has kernel and userspace neatly separated, as it is Linux and emphasizes web-centric applications, doing away with the huge mess that comes with maintaining state on individual machines beyond anything that can be stored in Cookies and Web Indexed DB.

If I had to - for some odd reason - do h

Re:The right thing to do. SECONDED!

[mmell]

I've been using Linux for a long time. A decade ago, I gave up and started just using Windows on my new hardware (it was pre-installed and I'm getting lazy - hey, it's only a personal workstation after all). A couple years ago I did a contract for Alphabet, who issued me a Chromebook to work on.

Windows was always designed based on a philosophy of "one human, one machine". You want to do more, you get a more powerful machine. For gamers, an appropriate solution.

ChromeOS is designed based on a philosoph

At last.

[drolli]

Now i know that the data about me staying there is in good hands.

Two ransoms avoided!

[skaag]

They avoided both the ransom from the attackers, and the bigger one, from Microsoft!