MGM ransom gang hits Marriott, Hilton hotel management group LBA Hospitality


The ALPHV/BlackCat ransomware gang – responsible for last month’s debilitating attacks on the MGM and Caesars Las Vegas resorts – has claimed the US hotel management group LBA Hospitality as its latest victim. The LBA portfolio includes nearly 100 hotels under four major hotel chains – Marriott, Hilton, Holiday Inn, and Best Western.

The hotels are primarily located in the southeastern part of the US, scattered across a dozen different states, from North Carolina, Tennessee, and Florida to Maryland, Kentucky, and Panama City, Texas.

ALPHV/BlackCat posted LBA Hospitality on its dark leak site Thursday along with a small sample of files allegedly exfiltrated from the Alabama-based company.

The gang claims to have exfiltrated about 200GB of “highly confidential” internal company data from LBA’s main servers, including both client and employee personnel data such as “CV's, DL's, ID's, SSN's, financial reports, credit cards information, accounting data, loans data, insurance, agreements and much more.”

“You have 3 days for contact with us to decide this pity mistake, which made your IT department, decide what to do in next step. If you prefer keep silence, we will start publicate data, most of it – citizens confidential documents,” ALPHV/BlackCat posted.

ALPHV/BlackCat LBA Hospitality breach
ALPHV/BlackCat leak site

So far, LBA has not commented on if or when a breach may have occurred. Cybernews has reached out to the management company and is awaiting a response.

Besides hotel operations, LBA Hospitality provides a multitude of services to its hotel clients, including human resources, accounting and finance, revenue management, information technology, and sales and marketing, according to its website.

These types of services provided suggests the group could be storing plenty of sensitive data within its network systems.

Still, the underwhelming samples posted on the ALPHV/BlackCat leak site only show what appears to be an individual Pennsylvania driver's license, one US Passport, two unsigned confidentiality and disclosure agreements, and the name and address on a one-year warranty for a 66-foot wooden privacy fence. From 2021.

ALPHV/BlackCat LBA Hospitality breach samples
ALPHV/BlackCat leak site

Meanwhile, there are at least 15 mid-range brand hotel chains that are listed as current clients of LBA Hospitality.

Those under Marriott include the Westin, Courtyard, Fairfield, Springhill Suites, Delta, Townplace, and Residence Inn. Hotels owned by Hilton include the Hampton Inn, Garden Inn, Homewood, and Home2 Suites. Also listed are several Best Western and IHG's Holiday Inn hotels.

Ironically, this also marks the fourth time Marriott has suffered some sort of data breach in the past five years; the last major direct breach exposing the sensitive data of 5.2 million guests took place in the spring of 2020.

ALPHV/BLACKCAT hits hard

The ALPHV/BlackCat ransomware gang has been around since 2021, and is known to operate as a ransomware-as-a-service (RaaS) model.

On September 11th, the ALPHV/BlackCat cyberattack forced MGM to shut down its entire network system leaving the guest rooms unlocked, digital room keys invalid, slot machines out of order, ATMs inoperable, and casino floors empty at all twelve MGM resorts on the Vegas strip for about a week.

In an apparent joint effort with fellow ransomware group Scattered Spider, the gang's ransomware was also used to breach Caesars Entertainment, which is rumored to have paid a ransom of $15 million to keep its operations going the previous week.

According to a Microsoft research profile, ALPHV/BlackCat is also known to have worked closely with other ransomware groups such as Conti, LockBit, and REvil, as well as having links to the Darkside and BlackMatter cybercriminal cartels.

Lately, ALPHV/BlackCat has been among the most active ransomware gangs and, more recently, has been posting blunt commentary about its victims and the media's coverage of its attacks on its dark leak page.

The group was responsible for approximately 12% of all ransomware attacks in 2022, according to cybersecurity analyst ANOZR WAY.


More From Cybernews:

Hello Alfred app exposes user data

Google image search just got better: revealing the origin of goods and information

Curve Finance suffers second crypto cyberattack

Chrome update spreads Trojan malware

Apple TV Plus joins other streamers in raising prices

Subscribe to our newsletter