Raging Waters Sydney impacted by ransomware attack

The personal data of guests who have visited the popular Raging Waters Sydney waterpark may be at risk as a result of targeted attack by cyber criminals.

As reported by Information Age, hackers are understood to have stolen a reported 1TB of data from Parques Reunidos, the Spanish attractions operator whose multinational portfolio of properties includes the popular Raging Waters Sydney waterpark.

The Madrid-based company jumped into incident response mode after recently discovering what it describes as “unauthorised external access to our computer systems”, commencing forensic investigations and engaging that country’s Spanish Data Protection Authority (AEPD) about the incident.

Its response included shutting down affected systems and blocking their users; blocking of remote access connections; blocking all users’ passwords; and ‘temporary isolation’ of the company’s data centre.

The company is also expanding its data security tools and running “extraordinary awareness and training actions” to remind users about the risks of ransomware and other potential cybersecurity risks.

Those risks could impact guest who have visited Raging Waters Sydney, one of 21 waterparks operated by the group - whose portfolio of around 60 amusement parks, zoos, family entertainment centres are primarily located in Europe and the USA.

The Sydney waterpark was acquired by the Spanish company’s Palace Entertainment subsidiary in July 2018 for $40 million from Village Roadshow Themes Parks - marking its entry into the Australian market.

Reports suggest that the attack has been carried out by the BianLian ransomware gang whose custom software - with a reported 20 victims so far - exploits well-known vulnerabilities to quietly steal data.

Members have lurked on victim networks for up to six weeks, according to security group Redacted, with the ransom note on infected systems warning victims that “we have been downloading data from your network for a significant time before the attack”.

The data will be posted on the group’s Darkweb site within 10 days if the ransom is not paid, the group threatens its victims, warning that links to the data would be sent to clients, partners, competitors, and news agencies - threatening “potential financial, business and reputational loses (sic).”

BianLian’s ransomware encryption - which is spread through email attachments or clicking on links to malicious Microsoft Office, PDF, ZIP, JavaScript and other files - has already been reverse engineered and a decryptor was published earlier this year.

However, the mass publication of ‘client’ information could create challenges for the millions of people who have attended Raging Waters Sydney since it opened in 2013 - whose personal data is likely amongst the significant volume of data compromised by the attackers.

The stolen data is described as including personal information about company employees; ‘information and contacts’ of the company’s ‘partners and clients’; information about incidents at the company’s parks; and legal, financial, health, and operational information.

Information Age advise that such multi-pronged attacks are part of a growing trend that has seen ransomware gangs diversifying, rebranding, and networking with other groups to bolster their operations amidst declining ransomware revenues that could, Trend Micro recently warned, see many groups branching out into “adjacent areas” such as business email compromise (BEC), money laundering, and cryptocurrency theft.

Wave pool evacuation creates stir on social media
While Raging Waters Sydney maintains a low profile in the media, it was recently the focus of a social media stir after its wave pool was evacuated on Monday 9th January.

The incident saw guests asked to evacuate the popular waterpark’s wave pool, leading to speculation as to the reason.

With many confused by the closure, guests began to circulate videos on social media speculating that there had been a ‘code brown’ incident (when a person defecates in a pool).

One video, which showed a lifeguard standing at the edge of an empty pool while the adjacent beach area was full of idle patrons, racked up thousands of comments, with people expressing their reluctance to visit the attraction due to incidents like this.

However, a Raging Waters Sydney spokesperson subsequently advised that somebody had vomited in the wave pool.

Speaking to Yahoo News Australia, a spokesperson explained “a guest was sick whilst in the pool.”

As a result, the spokesperson noted that the facilities were closed for 20 minutes to allow staff to sufficiently clean the pool by following procedures "set out in their NSW Health Incident Response plan".

The spokesperson added “this is a very common issue that happens at all pools and water attractions.”

Image courtesy of Raging Waters Sydney.