Cyber Incident Victim: IT-Hotellet
Date:
May 2024
Location:
Denmark
Summary
A Danish hosting company experienced two consecutive ransomware attacks by unidentified hackers, leading to the complete encryption of its servers and data. The owner, forced to disconnect servers to protect customer information, initially restored most operations but ultimately faced liquidation after the second breach. The attacks disrupted monitoring systems for a university hospital client, requiring temporary manual oversight. Despite efforts involving law enforcement and a security firm, the company could not recover, resulting in its shutdown. The incident underscores the critical importance of robust backup systems, as the loss of data and operational capacity proved insurmountable, leaving the owner with significant personal and financial repercussions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
IT-Hotellet, a Danish hosting provider, experienced two sequential ransomware attacks in May 2024 that ultimately forced the company into liquidation. The first attack compromised the firm’s servers—housed in a former bunker near Fruens Bøge in southern Odense—allowing unidentified threat actors to encrypt and lock all data. During this initial breach, attackers gained remote control of systems, evidenced by the owner Thomas Vandsted Nielsen witnessing unauthorized mouse movements on his screen and password changes. Despite successfully restoring 99.5% of operations post-attack—a recovery that minimized customer disruption—the company faced a second, more devastating intrusion shortly afterward. This follow-up incident occurred as Nielsen attempted to manually expel hackers from the network, culminating in 50 servers crashing simultaneously after attackers executed widespread encryption. Nielsen disconnected all servers to prevent further data theft or loss, prioritizing customer data protection over business continuity.
The attacks critically impacted IT-Hotellet’s operations and clients, including Odense University Hospital (OUH), which relied on the firm for technical and support servers monitoring its internal systems. While OUH confirmed no patient safety risks or direct system compromises, the hospital shifted to partial manual monitoring due to severed server connections. Nielsen contacted police after the second attack, who advised engaging a cybersecurity firm to assist customer migration; however, IT-Hotellet’s infrastructure was irrecoverable. The company initiated liquidation to avoid accruing debts, leaving Nielsen financially depleted. OUH anticipates transitioning monitoring to internal systems under Region Syddanmark. Nielsen emphasized the necessity of redundant backups as the primary lesson, stating a single backup proved insufficient to withstand the attacks. As of the report, IT-Hotellet had not formally declared bankruptcy but expected this outcome.