Cyber Incident Victim: Boyne Resorts
Date:
Oct 2020
Location:
United States of America
Summary
Boyne Resorts suffered a WastedLocker ransomware attack attributed to the Russian-linked Evil Corp group, disrupting corporate and resort IT systems and forcing partial network shutdowns to contain the infection. The incident crippled company-wide reservation capabilities, including online booking platforms for lodging, with recovery expected to take several days. Encrypted files were appended with a .easy2lock extension, and the attack posed potential sanctions risks under U.S. regulations due to the perpetrators' sanctioned status.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around October 17, 2020, Boyne Resorts, a US-based operator of eleven ski and golf resorts across the United States and Canada, suffered a ransomware attack attributed to the WastedLocker operation. The incident began with a compromise of corporate offices before spreading to IT systems at individual resort properties, prompting the company to shut down portions of its network to contain the infection. Attackers deployed WastedLocker ransomware, a strain linked by security researchers to Evil Corp, a Russian cybercrime group sanctioned by the U.S. Treasury Department in December 2019 for financial crimes exceeding $100 million in damages. The ransomware encrypted files across affected systems, appending the .easy2lock extension to compromised data. A VirusTotal sample matching this extension had been uploaded on October 14, 2020, though investigators noted it likely differed from the variant used against Boyne. The attack disrupted company-wide reservation systems, rendering online booking platforms inoperable for multiple properties, including those at Big Sky (Montana), Sugarloaf (Maine), and Brighton (Utah). Employees reported the reservation outage was expected to persist for several days following the initial attack, occurring during a critical period for winter ski trip planning.
The operational impact centered on reservation and lodging booking capabilities, affecting both centralized corporate systems and individual resort websites. Boyne Resorts did not publicly confirm details of the attack or its response strategy, though internal actions included network segmentation to limit ransomware propagation. The incident presented legal complications due to WastedLocker’s association with Evil Corp, as U.S. sanctions prohibited financial transactions with the group. This created potential liability for Boyne Resorts under Office of Foreign Assets Control (OFAC) regulations if ransom payments were made, following an October 2020 OFAC advisory explicitly warning organizations about sanctions risks involving ransomware payments to designated entities. No information regarding data exfiltration, ransom demands, or payment negotiations was disclosed. Recovery efforts focused on restoring reservation systems, with no public timeline provided for full operational normalization beyond the initial estimate of several days’ downtime.