This spring, Omni Hotels & Resorts suffered a ransomware attack during the Easter holiday weekend that disrupted systems across its 50 properties, reportedly causing guests to wait longer to make reservations and access their rooms.
Daixin Team claimed responsibility for the attack, signalling a shift in the cybercrime organization’s strategy from targeting the healthcare sector to hotels, which face even more pressure to pay a ransom when they are hit during a busy time of the year. Security Week reported Daixin Team made a $3.5 million demand and dropped it to $2 million, but it’s not known whether Omni paid the ransom, which could indicate the hotel chain had sufficient backup data to resume operations on its own. Still, other tangible and intangible damage was done.
While Omni claims no “sensitive information such as personal payment details, financial information, or social security numbers” was impacted, it disclosed that “customer name, email, and mailing address, as well as Select Guest Loyalty program information” was affected by the attack, which started March 29. Omni said after launching an investigation and partnering with a cybersecurity response team, its systems were fully restored April 8.
With summer arriving in the Northern Hemisphere, that means more business for hotels as travel picks up and — if ransomware gangs stick to their new strategy — potential for more ransomware attacks. Fortunately, hospitality organizations can take steps to prevent such a strike and, even if they do suffer a breach, prepare for a quick response that minimizes damage.
How does a ransomware attack work?
A typical attack will infiltrate the victim’s system, encrypt a user’s files and prevent them from being accessed unless the user pays a ransom, usually payable in cryptocurrency.
(Some ransomware attacks, though, will create copies of a victim’s data and threaten to release them publicly unless the ransom is paid.)
There are several ways that ransomware can find its way onto a target computer or network. Some of the most common methods include:
- Deploying phishing attacks that trick employees into clicking a malicious link or downloading an infected attachment.
- Taking advantage of an organization’s Remote Desktop Protocol (RDP), which lets offsite workers log into its network. This can happen when a bad actor acquires an employee’s login credentials and then downloads ransomware to their machine. RDP attacks can also be carried out via a network’s servers if they have been infected.
- Exploiting security vulnerabilities in other commonly used applications.
How to prepare for a ransomware attack
- Hire cybersecurity experts to conduct a 360-degree risk assessment of your systems. They can help identify potential weaknesses and develop an actionable, comprehensive plan for improving your defenses. Convergent DS has a dedicated offering for this called Ransomware Assess.
- Implement a plan for regularly backing up all critical information, and then test those backups to make sure the information is actually being saved. The backups should be stored outside your organization’s network, possibly offline, to protect them from a ransomware attack.
- Train (and retrain) your team to recognize phishing attacks so they don’t click malicious links or download ransomware disguised as PDFs and other files.
- Employ multi-factor authentication internally and on customer reward program accounts. Marriott Bonvoy recently updated its MFA process on its customer accounts, for example.
- Create a process for constantly updating operating systems and software with the latest security patches.
- Make it harder for your team to accidentally download ransomware. That could include using current antivirus software that scans all downloaded software before executing. Or restrict most users’ permissions from installing software applications unless their role calls for it.
Responding to a ransomware attack
Like Omni did, companies should consider contracting with a digital forensics team such as Convergent DS, which has deep experience working with the hospitality industry and handling ransomware attacks. They can quickly assess how the attack was executed and plug any holes in your security.
Fast-moving experts can also diagnose the scope of the ransomware infiltration and, if possible, prevent it from corrupting other parts of your systems. Depending on the type of attack, they may be able to decrypt your files without paying a ransom to the attackers. Or failing that, they could clean your systems and restore your files from previously created backups.
As these types of incidents become more common, smart organizations will have a plan in place before the worst happens. If your company wants to assess your current cybersecurity and develop a plan, let’s talk.