Daixin ransomware gang claims attack on Omni Hotels

The Daixin Team ransomware gang claimed a recent cyberattack on Omni Hotels & Resorts and is now threatening to publish customers' sensitive information if a ransom is not paid.

The hotel chain was added to Daixin Team's dark web leak site over the weekend, two weeks after a massive outage brought down the company's IT systems and impacted reservation, hotel room door lock, and point-of-sale (POS) systems.

On April 2nd, Omni Hotels confirmed that a cyberattack was the root cause behind the nationwide IT outage at its locations.

"Since Friday, March 29, Omni Hotels & Resorts has been responding to a cyberattack on its systems. Upon learning of this issue, Omni immediately took steps to shut down its systems to protect and contain its data," the hotel chain told BleepingComputer.

"As a result, certain systems were brought offline, most of which have been restored. Omni quickly launched an investigation with a leading cybersecurity response team, which is ongoing."

While Omni had not revealed the nature of the incident, sources told BleepingComputer that the hotel chain was the victim of a ransomware attack and was manually restoring encrypted servers from backups.

Even though the Daixin Team has now added the hotel chain to their leak site, the threat actors are yet to publish proof of their claims, saying they'll "soon" leak information allegedly stolen from Omni Hotels' compromised servers.

The gang also claims that "stolen data includes sensitive data, including all records of all visitors from 2017 to the present."

Omni Hotels Daixin Team leak (BleepingComputer)

In October 2022, CISA, the FBI, and the Department of Health and Human Services (HHS) warned the Daixin Team cybercrime gang was targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks.

Since then, this financially motivated ransomware and extortion group has been linked to multiple incidents where they've encrypted systems and stolen patient health information (PHI) and personally identifiable information (PII).

This information is then used for double extortion, pressuring victims into paying a ransom under the threat of releasing the stolen data online.

Daixin Team gains access to target networks by exploiting known vulnerabilities in the organizations' VPN servers or using compromised VPN credentials belonging to accounts that have toggled off multi-factor authentication (MFA).

Omni Hotels operates 50 hotels and resorts across the United States, Canada, and Mexico, with over 23,550 rooms and 28 golf courses.

In 2016, it also disclosed a data breach caused by malware infecting point-of-sale (PoS) systems at 49 of its 60 hotels in North America.

The attackers used the PoS malware to steal payment card information, including the cardholder's name, credit/debit card number, security code, and expiration date.