Omni Hotels Shares Lessons Learned One Year After $50M Ransomware Attack

One Year Later: Omni Hotels Details $50M Recovery and Security Overhaul After Devastating Ransomware Attack

INFORMATIONAL
July 1, 2026
4m read
Incident ResponseSecurity OperationsRansomware

Related Entities

Other

Omni Hotels & ResortsBlackSuit

Full Report

Executive Summary

One year after a crippling ransomware attack, Omni Hotels & Resorts has released a comprehensive report detailing the incident's aftermath, the company's recovery, and its subsequent security transformation. The mid-2025 attack, attributed to the BlackSuit ransomware group, caused a nationwide operational shutdown and resulted in over $50 million in losses. In response, the company undertook a complete 'rip and replace' of its legacy security systems, investing over $35 million in a modern, zero-trust architecture. The report offers valuable lessons learned for the hospitality industry and beyond on resilience, recovery, and building a strong security culture.


Incident Timeline & Impact

  • Mid-2025: The BlackSuit ransomware group gains access to Omni's network, moves laterally, and deploys its payload.
  • Immediate Aftermath: A week-long, system-wide outage occurs. Key systems, including reservations, door locks, and point-of-sale (POS) systems, are knocked offline across all properties.
  • Financial Impact: The company estimates the total cost of the incident at over $50 million, factoring in lost revenue, remediation expenses, and investments in new technology.
  • Operational Impact: The attack caused massive disruption for guests and staff, leading to significant reputational damage.

Response Actions & Recovery

Following the incident, Omni appointed a new CISO and embarked on an aggressive recovery and transformation plan.

  • System Rebuild: The recovery process was not a simple restoration. It involved rebuilding core systems from the ground up on new, secure infrastructure to ensure no remnants of the malware remained. Data was painstakingly validated from backups before being brought back online.
  • Security Overhaul: The company abandoned its legacy security model and invested $35 million in a new security stack built on zero-trust principles.

Technical Findings & New Security Stack

The new security architecture focused on preventing the type of attack that succeeded in 2025. Key initiatives included:

  1. Network Micro-segmentation: To prevent lateral movement, the network was divided into small, isolated segments. Even if an attacker compromises one segment, they cannot easily move to another. This is a direct countermeasure to how ransomware spreads across a flat network.
  2. Advanced Endpoint Detection and Response (EDR): A state-of-the-art EDR solution was deployed on all servers and workstations to provide visibility and detect malicious behavior at the endpoint level.
  3. Phishing-Resistant Multi-Factor Authentication (MFA): Phishing-resistant MFA (such as FIDO2 hardware keys) was enforced for all employees, partners, and privileged accounts to make credential theft much more difficult.

Lessons Learned

The Omni Hotels report emphasizes several key takeaways for other organizations:

  • Board-Level Engagement is Crucial: Cybersecurity cannot be just an IT issue. The board and executive leadership must be actively engaged, understand the risks, and champion the necessary investments.
  • Assume Breach Mentality: Organizations should operate under the assumption that they will be breached. This shifts the focus from prevention alone to rapid detection, response, and resilience.
  • Culture of Security: Technology is not enough. A strong security culture, where every employee understands their role in protecting the company, is essential.
  • Transparency Builds Trust: By publicly sharing their story, Omni aims to help other companies and rebuild trust with their customers. This transparency is a valuable contribution to the entire industry.

Mitigation Recommendations

Based on Omni's experience, the following mitigations are critical for organizations, especially in the hospitality sector:

  • Implement a Zero-Trust Architecture: Move away from the traditional 'castle-and-moat' security model. Assume no user or device is trusted by default.
  • Prioritize Network Segmentation: Flat networks are a ransomware operator's dream. Segment your network to limit the blast radius of an attack.
  • Invest in EDR and MFA: Modern EDR and phishing-resistant MFA are foundational controls for defending against today's threats.
  • Test Your Incident Response Plan: Don't wait for a real incident to test your IR plan. Conduct regular tabletop exercises and simulations to ensure your team is prepared.

Timeline of Events

1
July 1, 2025
Approximate date of the catastrophic BlackSuit ransomware attack on Omni Hotels & Resorts.
2
July 1, 2026
Omni Hotels & Resorts publishes a report detailing its recovery and security transformation.
3
July 1, 2026
This article was published

MITRE ATT&CK Mitigations

Implementing micro-segmentation was a key part of Omni's new strategy to prevent the lateral movement that allowed the ransomware to spread.

Deploying phishing-resistant MFA makes it significantly harder for attackers to gain initial access via compromised credentials.

Deploying an advanced EDR solution allows for the detection of malicious behaviors indicative of ransomware, even if the specific signature is unknown.

Having tested and resilient backups was crucial for Omni's ability to rebuild its systems from scratch.

D3FEND Defensive Countermeasures

Omni's adoption of network micro-segmentation is a critical lesson. In a flat network typical of the hospitality industry, ransomware can spread from a compromised front-desk PC to critical backend reservation and POS systems in minutes. By implementing micro-segmentation, each hotel, or even different functional areas within a hotel (e.g., guest Wi-Fi, POS terminals, door lock systems), can be placed in its own isolated network segment. Traffic between segments is blocked by default and only allowed through a firewall with strict rules. This contains a breach to a small area, preventing a localized incident from becoming a company-wide catastrophe.

The report's emphasis on 'phishing-resistant' MFA is key. Standard SMS or push-based MFA can be defeated by determined attackers using techniques like prompt bombing or SIM swapping. For a high-value target like Omni, moving to phishing-resistant methods such as FIDO2/WebAuthn hardware security keys for all employees, especially those with privileged access, is a necessary step. This raises the bar for attackers significantly, making credential-based initial access nearly impossible and directly addressing a common entry vector for ransomware groups.

Omni's shift to a zero-trust model is a strategic move away from the outdated 'trust but verify' paradigm. A zero-trust architecture enforces the principle of 'never trust, always verify' for every user and device, regardless of its location. In practice, this means every request to access a resource (e.g., a reservation database) is authenticated and authorized based on user identity, device health, location, and other signals. This eliminates the concept of a trusted internal network and dramatically reduces the risk of lateral movement, which was the core reason the 2025 attack was so devastating.

Timeline of Events

1
July 1, 2025

Approximate date of the catastrophic BlackSuit ransomware attack on Omni Hotels & Resorts.

2
July 1, 2026

Omni Hotels & Resorts publishes a report detailing its recovery and security transformation.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

incident responseransomwarecase studyzero trustresiliencehospitality

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.