Ransomware attack on Omni Hotels: curstomer data compromised

Dixin ransomware gang claimed Omni Hotels as a victim

In the announcement posted on the official website,^[1] Omni Hotels & Resorts has acknowledged that it was the victim of a ransomware attack that seriously compromised client data.

Omni Hotels experienced an extensive IT disruption on March 29th as a result of a ransomware attack, which caused interruptions throughout their network, including reservation systems, hotel room door locks, and other operational technology.

Cybercrime group Daixin Team claimed responsibility for this attack and announced on their dark web leak site that they had obtained approximately 3.5 million records.^[2] The compromised data included names, email addresses, and mailing addresses of Omni Hotel guests dating back to 2017. The stolen information also included details from the guest loyalty program but notably excluded sensitive financial data and Social Security numbers.

Omni Hotels restored its operations and prepared for the investigation

Following the attack, Omni Hotels immediately shut down its systems in order to contain the breach and started the roughly week-long process of restoring services. To limit the impact of the breach and determine its extent, the company commenced a comprehensive investigation with the assistance of a top cybersecurity response team.

Systems were primarily restored by manually restoring encrypted servers from backups, which suggests that Omni had effective data recovery strategies in place prior to the attack.

Omni was able to quickly restore the majority of its vital systems online during the recovery phase. But the incident revealed possible weaknesses in their cybersecurity measures, especially considering how fast the ransomware was able to enter their network and impair numerous services.

Daixin cybercriminals use vulnerabilities in software to breach their targets

The attack against Omni Hotels was carried out by the Daixin Team, who have been active in hitting a number of industries, most notably the United States Healthcare and Public Health (HPH) sector.

In October 2022, the Department of Health and Human Services (HHS), the FBI, and CISA^[3] all released warnings regarding the Daixin Team, citing a history of aggressive cybercrime. The gang is well-known for its extortion and ransomware campaigns, in which they encrypt victims' data and demand payment of a ransom before releasing it.

Their operating strategies frequently entail taking advantage of VPN server flaws; they specifically target companies where multi-factor authentication has been turned off or when VPN credentials have been compromised. They may more easily spread their ransomware because of this strategy, which gives them unrestricted access to the company's networks.

This technique most certainly gave Omni Hotels the first access they required to carry out their attack, underscoring the vital role that strong and safe network security plays in averting breaches of this type.

Not the first time Omni Hotels in trouble

The perpetrators in the latest Daixin Team ransomware attack initially wanted a $3.5 million ransom. After negotiations, this sum was lowered to $2 million. There has been no disclosure regarding the outcome of these negotiations, including whether the ransom was paid. But the possibility of the stolen data being released highlighted how serious the situation was.

Additionally, Omni Hotels has faced cybersecurity challenges in the past. Back in 2016,^[4] the company reported a data breach involving malware that targeted the point-of-sale (PoS) systems across 49 of its 60 properties in North America. The malware was designed to capture a wide array of payment card details, such as the cardholder’s name, card number, security code, and expiration date.

Omni Hotels & Resorts is a well-known name in the hospitality sector, operating 50 hotels and resorts in the US, Canada, and Mexico. The size of its operations is demonstrated by the vast network, which has over 23,000 hotel rooms and 28 golf courses, which is a lucrative target for ransomware attackers.