Radisson's Country Inn & Suites hack claim, thousands reported breached


The Country Inn & Suites by Radisson hotel chain has reportedly been hit by ransomware, which, the hackers claim, exposed the sensitive information of thousands of guests – including credit card numbers, account usernames, and even passwords.

The Choice Hotels subsidiary and Radisson Hotel Group chain was claimed by the Everest ransomware group over the weekend.

“Thousands and thousands of client’s personal information” was allegedly stolen in the hack the group reported on its dark leak blog on October 19th, without providing the amount of data it had.

ADVERTISEMENT

The suburban mid-scale hotel chain has more than 530 locations across the US, Canada, Latin America, the Caribbean, and the Asia Pacific, with another 250-plus locations operating or under development in Europe, Africa, and the Middle East.

As of Monday, October 21st, the Everest gang’s ransom countdown clock showed ten days left for the hotel group to “follow the instructions to resolve the issue with us before the timer ends.” If not, the extortionists said, “the data will be published” on its leak site.

The group also claims that “management is aware of events and is not taking any action.”

Country Inn and Suites by Radisson Everest ransomware
Everest leak site. Image by Cybernews.

A spokesperson for Choice Hotels has since responded to a request from Cybernews – we will update this report upon receiving an official statement.

Unmasked guest credit card numbers?

Everest has not publicly posted the amount of its requested ransom demand, but did provide at least seven sample screenshots allegedly part of the stolen data cache.

The ransomware gang claims to possess billing data, credit card information, internal emails, incidents, messages, and full calendar details of past and future bookings.

ADVERTISEMENT

Besides an internal database of guest data, several of the samples Cybernews was able to view on Monday show what looks like a screenshot of Radisson reservation software containing customer names, full addresses, phone numbers, emails, booking dates, and even the room type and rate paid.

The compromised information also appears to contain guest tax ID rewards, program billing info, as well as Choice/Radisson reward account numbers.

Furthermore the gang accused Radisson of “complete negligence in storing passwords and private data.”

Country Inn and Suites by Radisson Everest sample
Everest leak site. Image by Cybernews.

The entire Radisson Hotel Group, which includes 10 Radisson hotel brands was bought up by Choice Hotels for $675 million in 2022.

Another division – Radisson Hotels Americas – also fell victim in 2023 to the Cl0P ransomware gang, responsible for breaching hundreds of victims worldwide as part of the MOVEit hacks.

In that hack, the American headquartered hotel conglomerate had confirmed to Cybernews that “a limited number of guest records were accessed by these bad actors” through a third-party vendor.

Who is the Everest cybercriminal gang?

The Everest ransomware cartel is believed to be connected to the Black-Byte ransomware operations, a ransomware-as-a-service (RaaS) with links to Russia, and is said to have first emerged in July 2021.

Everest claimed in October 2022 to have hacked AT&T, offering up alleged access to the entire AT&T corporate network. Randomly, that 70-million+ AT&T customer dataset re-appeared on the hacker marketplace BreachForums again this April, reportedly connected to another criminal outfit known as Shiny Hunters.

ADVERTISEMENT

Everest also made waves in September 2022, breaching the Brazilian government and stealing 3TB of sensitive data from its network servers.

According to a profile by the NCC group at the time, the Everest threat actor had been observed exploiting compromised user accounts and remote desktop protocol (RDP) for lateral movement.

“Everest’s action on objectives appears to focus on data exfiltration of sensitive information as well as encryption, commonly referred to as double extortion,” researchers said.