Hackers carried out a ransomware attack on the five-star K Club resort in Co Kildare as it prepared to host some of the world’s top golfers at the Irish Open this weekend.
Some data stolen during the breach was uploaded last Tuesday to the darknet, a section of the internet inaccessible without specialist software. The leaked files included financial records, IT documentation and administrative information.
The impact of the cyberattack remains unclear but golfing fans attending the event this weekend to see the likes of Rory McIlroy, Shane Lowry, Tyrrell Hatton and Brooks Koepka have reported difficulty using the resort’s wi-fi, with some saying they were unable to access Gmail.
The ransom demand was delivered in a text file left on the club’s systems by a criminal organisation calling itself SafePay. It is not yet clear whether the gang’s demands were met. The group typically seeks hundreds of thousands of euros, payable in bitcoin, with the sum calculated at 1 to 3 per cent of a victim’s annual turnover, though this can be reduced following engagement.
Cybersecurity specialists believe the group is likely to be Russian. Its ransomware has been designed not to infect systems configured in the Russian Cyrillic alphabet, a characteristic often associated with Russian-based criminal operations.
Garda Headquarters became aware of the hack through its digital intelligence monitoring, which scans the darknet for threats against Irish organisations and the state. Despite this, no formal criminal investigation has yet been launched. The Data Protection Commission (DPC) has been notified and has opened an inquiry, however.
Investigators believe the attackers gained access to the resort’s IT network through a vulnerability in its virtual private network (VPN) system last month. They then moved quickly to exfiltrate large volumes of data before deploying ransomware.
Security experts suggest that the gang encrypted vast amounts of information within days.
SafePay first appeared late last year, launching ransomware attacks on technology and manufacturing companies in the United States and Germany. It has organised at least three known attacks on Irish firms and hundreds more worldwide.
The group typically presents ransom demands as a form of “paid training session” for their system administrators. In return for payment, they promise to provide a decryption key to unlock affected systems. Victims are usually given ten days to pay before SafePay publishes details of the breach on a blog and then releases some stolen files.
Cynthia Kaiser, a former FBI agent who now works for Halcyon, a ransomware research firm based in San Diego, said that SafePay carefully selected its targets and used methods designed to exert maximum leverage.
“They have the hallmarks of experienced ransomware actors. They usually encrypt a network within 24 hours from initial access. Most actors take a few days to do that,” she said. “This reduces the detection response opportunity time. Oftentimes they give victims aggressive 72-hour initial deadlines to create urgency. The goal is to do all this quickly so you don’t get caught,” she added.
Kaiser warned that ransom payments rarely guaranteed protection of stolen data. “Actors will say that they’re going to delete the data if you pay. But when I was at the FBI, we would then conduct takedown operations of ransomware groups.
“We saw time and time again that ransom actors do not delete the data when you pay. It may not be leaked out on the site, but they don’t delete it,” she said.
The K Club confirmed that it had experienced “a cyber-incident” affecting its IT infrastructure in recent weeks. However, it declined to answer specific questions.
“We have informed the Data Protection Commission. No guest or client information was accessed during this incident and the K Club has implemented several additional security measures to safeguard our information since then,” a spokesman said.
K Club declined to comment on whether a ransom was paid to SafePay.