One year after a crippling ransomware attack, Omni Hotels & Resorts has released a comprehensive report detailing the incident's aftermath, the company's recovery, and its subsequent security transformation. The mid-2025 attack, attributed to the BlackSuit ransomware group, caused a nationwide operational shutdown and resulted in over $50 million in losses. In response, the company undertook a complete 'rip and replace' of its legacy security systems, investing over $35 million in a modern, zero-trust architecture. The report offers valuable lessons learned for the hospitality industry and beyond on resilience, recovery, and building a strong security culture.
Following the incident, Omni appointed a new CISO and embarked on an aggressive recovery and transformation plan.
The new security architecture focused on preventing the type of attack that succeeded in 2025. Key initiatives included:
The Omni Hotels report emphasizes several key takeaways for other organizations:
Based on Omni's experience, the following mitigations are critical for organizations, especially in the hospitality sector:
Implementing micro-segmentation was a key part of Omni's new strategy to prevent the lateral movement that allowed the ransomware to spread.
Deploying phishing-resistant MFA makes it significantly harder for attackers to gain initial access via compromised credentials.
Deploying an advanced EDR solution allows for the detection of malicious behaviors indicative of ransomware, even if the specific signature is unknown.
Having tested and resilient backups was crucial for Omni's ability to rebuild its systems from scratch.
Omni's adoption of network micro-segmentation is a critical lesson. In a flat network typical of the hospitality industry, ransomware can spread from a compromised front-desk PC to critical backend reservation and POS systems in minutes. By implementing micro-segmentation, each hotel, or even different functional areas within a hotel (e.g., guest Wi-Fi, POS terminals, door lock systems), can be placed in its own isolated network segment. Traffic between segments is blocked by default and only allowed through a firewall with strict rules. This contains a breach to a small area, preventing a localized incident from becoming a company-wide catastrophe.
The report's emphasis on 'phishing-resistant' MFA is key. Standard SMS or push-based MFA can be defeated by determined attackers using techniques like prompt bombing or SIM swapping. For a high-value target like Omni, moving to phishing-resistant methods such as FIDO2/WebAuthn hardware security keys for all employees, especially those with privileged access, is a necessary step. This raises the bar for attackers significantly, making credential-based initial access nearly impossible and directly addressing a common entry vector for ransomware groups.
Omni's shift to a zero-trust model is a strategic move away from the outdated 'trust but verify' paradigm. A zero-trust architecture enforces the principle of 'never trust, always verify' for every user and device, regardless of its location. In practice, this means every request to access a resource (e.g., a reservation database) is authenticated and authorized based on user identity, device health, location, and other signals. This eliminates the concept of a trusted internal network and dramatically reduces the risk of lateral movement, which was the core reason the 2025 attack was so devastating.
Approximate date of the catastrophic BlackSuit ransomware attack on Omni Hotels & Resorts.
Omni Hotels & Resorts publishes a report detailing its recovery and security transformation.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.