Omni Hotels

The Daixin Team ransomware gang claimed a recent cyberattack on Omni Hotels & Resorts and is now threatening to publish customers' sensitive information if a ransom is not paid.

The hotel chain was added to Daixin Team's dark web leak site over the weekend, two weeks after a massive outage brought down the company's IT systems and impacted reservation, hotel room door lock, and point-of-sale (POS) systems.

On April 2nd, Omni Hotels confirmed that a cyberattack was the root cause behind the nationwide IT outage at its locations.

"Since Friday, March 29, Omni Hotels & Resorts has been responding to a cyberattack on its systems. Upon learning of this issue, Omni immediately took steps to shut down its systems to protect and contain its data," the hotel chain told BleepingComputer.

"As a result, certain systems were brought offline, most of which have been restored. Omni quickly launched an investigation with a leading cybersecurity response team, which is ongoing."

While Omni had not revealed the nature of the incident, sources told BleepingComputer that the hotel chain was the victim of a ransomware attack and was manually restoring encrypted servers from backups.

Even though the Daixin Team has now added the hotel chain to their leak site, as DataBreaches.net first reported, they have yet to publish proof on their site.

They say they'll "soon" leak information allegedly stolen from Omni Hotels' compromised servers, "including all records of all visitors from 2017 to the present."

However, Daixin did share screenshots of the stolen data with DataBreaches.net showing a database dump containing 3,539,089 records of Omni Hotels visitors with sensitive information, including names, email addresses, and mailing addresses.

Omni hotels Daixin Team leak
Omni Hotels Daixin Team leak (BleepingComputer)

In October 2022, CISA, the FBI, and the Department of Health and Human Services (HHS) warned the Daixin Team cybercrime gang was targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.

Since then, this financially motivated ransomware and extortion group has been linked to multiple incidents where they've encrypted systems and stolen patient health information (PHI) and personally identifiable information (PII).

This information is then used for double extortion, pressuring victims into paying a ransom under the threat of releasing the stolen data online.

Daixin Team gains access to target networks by exploiting known vulnerabilities in the organizations' VPN servers or using compromised VPN credentials belonging to accounts that have toggled off multi-factor authentication (MFA).

Omni Hotels operates 50 hotels and resorts across the United States, Canada, and Mexico, with over 23,550 rooms and 28 golf courses.

In 2016, it also disclosed a data breach caused by malware infecting point-of-sale (PoS) systems at 49 of its 60 hotels in North America.

The attackers used the PoS malware to steal payment card information, including the cardholder's name, credit/debit card number, security code, and expiration date.

Update April 15, 15:20 EDT: Added info regarding Daixin claiming they stole 3,539,089 visitor records.

Related Articles:

Omni Hotels confirms cyberattack behind ongoing IT outage

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

United Nations agency investigates ransomware attack, data theft

The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack

Panera Bread week-long IT outage caused by ransomware attack