Spread and point of entry – IT forensic analyses conducted by the specialists at ResponseOne revealed that the attackers were able to move through the network almost unhindered due to a faulty network segmentation between company locations. Why the service provider failed to implement proper segmentation remains under investigation. The attackers' lateral movement and the eventual encryption of systems could be traced from several legacy sites all the way to the arcona headquarters in Rostock. Although it is already known that access occurred via VPN, the exact entry point is still being determined.

Data exfiltration confirmed – Unfortunately, data exfiltration was detected at the central site in Rostock. The attackers left only minimal traces, and the encryption of systems continues to hinder forensic investigation. arcona is currently working with the data protection officer to assess which individuals and companies may have been affected. Naturally, all affected parties will be notified as soon as the data has been reviewed in detail. For any inquiries, arcona’s data protection team can be reached at datenschutz@arcona.de.

Hacker group identified – Initially, the group behind the attack was not disclosed for tactical reasons. However, due to the scale of the incident and in order to avoid giving in to potential extortion, arcona is now taking the step of informing the public. The ransomware has been linked to the notorious group Akira, which has been operating since 2023.

Progress in emergency operations and system recovery – In the past week, additional critical systems, such as point-of-sale systems and interfaces at affected locations, have been successfully and securely brought back online.

Other business units are also making progress under emergency operations. For example, the telephone system at the headquarters in Rostock has been successfully restored. In parallel, planning for a full system restart has begun. A deliberate decision has been made to fully transition to modern cloud technologies. Direct networking between individual sites will be avoided during the rebuild. Although significant investments had already been made in IT security at the various locations, future infrastructure will be even more resilient.

Transparency and legal review – Alexander Winter, Managing Director of arcona Hotels & Resorts, stated: “We deeply regret that this incident and the associated data leak occurred as a result of the attack and the failure of a service provider.” All guests, partners and business clients are advised to remain especially vigilant. If any unusual activity is detected or questions arise, please feel free to contact cyberangriff@arcona.de at any time.

In addition to the ongoing technical and forensic analysis, the root cause of the faulty network segmentation is being investigated both internally and externally. Legal action against those responsible is also being considered.

About arcona Hotels & Resorts

Founded in 2008, arcona Hotels & Resorts is based in Rostock and specialises in the operation and development of premium leisure and holiday hotels. The current portfolio includes eight properties, some of which are located in listed buildings at renowned holiday destinations such as Rügen, Sylt and Usedom. Among the highlights are the well-known Hotel Elephant in Weimar, the historic Hotel Kaiserhof on Usedom, and the Schloss Teschow Golf Club. As a licensee of the Barefoot concept developed by Til Schweiger, arcona also operates Barefoot Hotels at established destinations such as Mallorca. The company is owned by Alexander Winter and Treugast founder Prof. Stephan Gerhard. Its headquarters are located in the listed Zeeck Villa in Rostock.