In the cybersecurity world, there's no shortage of scary stories. Nation-state hacking? Check. Power grid hacking? Check. Huge botnets that are able to take down the internet itself? Check. But sometimes, a story is just too good to be true.
The latest example of hacking-gone-mad emerged from Austria, where a luxury four-star hotel resort called Romantik Seehotel Jaegerwirt was hit with ransomware that reportedly locked a slew of guests out of their rooms and caused chaos with computers.
Initial reports, from English-language Austrian news outlet The Local, relayed claims that hackers had infected computer networks and managed to successfully target the hotel's key mechanisms.
According to The Local, hotel managers paid a ransom after the hacker's demanded 1,500 euro (£1,270) in Bitcoin. It said the hotel was attacked three times in total, and that "guests could no longer get into their hotel rooms and new key cards could not be programmed."
Christoph Brandstaetter, managing director, said: "The hotel was totally booked with 180 guests, we had no other choice [than to pay]. Neither police nor insurance help you in this case. The restoration of our system after the first attack in summer has cost us several thousand euros.
"We did not get any money from the insurance so far because none of those to blame could be found. Every euro that is paid to blackmailers hurts us. We know that other colleagues have been attacked, who have done similarly."
A critical reception
For a ransomware attack, it was so far so normal. Yet for cybersecurity experts used to writing about the topic, the claim that ransomware targeted key locks didn't quite sit right. "It just didn't make any sense," wrote commentator Graham Cluley in a blog post.
"Why would a hotel announce that they had failed so spectacularly at securing their systems, and inconvenienced hundreds of their guests?
"Where were the quotes from aggrieved hotel guests who were locked in their rooms? Where were the social media posts and YouTube videos of guests unable to leave their hotel rooms? Why are there no grumblings on TripAdvisor or on the hotel's Facebook page?"
Indeed, after the story started to spread rapidly, The Local retracted one of its original claims, changing the title of its article from "hotel ransomed by hackers as guests locked in rooms" to state the opposite.
It added a note at the bottom: "Due to a misunderstanding, it was stated that guests were locked in their rooms. This was not the case, as guests were free to leave at any time, however they were unable to re-enter their rooms."
Yet even this appears to be in dispute by the hotel bosses. "We were hacked, but nobody was locked in or out," Brandstaetter said in a statement after the news broke. He added: "For one day we were not able to make new keycards.
"Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident. We simply could not issue new keycards because the computers were encrypted." In a separate statement to PC Magazine, a spokesperson said of the key-locking claims: "Sorry to tell you – this is fake and wrong information."
Of course, ransomware remains a real problem, with many firms being forced to pay up significant amounts of money to regain access to their computer systems. The issue is so rampant a new initiative – called No More Ransom – was recently launched to help infected companies fight back.