Attack alert: lockbit5 targets marriott.com - US

Introduction

Hotel giant Marriott International (marriott.com), employing over 120,000 people and generating $20.97 billion in revenue, faced a new cyber threat in December 2025. The LockBit5 ransomware group claimed responsibility for compromising the infrastructure of this global hotel chain, potentially exposing sensitive customer data, reservations, and payment systems. Classified as XC SIGNAL according to our certified analysis, this attack comes at a time when the hospitality sector is already weakened by recurring cybersecurity incidents. The intrusion, detected on December 7, 2025, raises critical questions about the protection of the personal information of millions of travelers worldwide.

This compromise occurs amidst a surge in cyberattacks targeting customer databases and reservation systems within the US hotel industry. Malicious actors exploit the high market value of information related to credit cards, identities, and travel habits. For Marriott, which has managed critical property management systems since its founding in 1927, the impact of such a breach extends far beyond the technical realm, affecting the trust of its international clientele.

Analyse détaillée

Analysis of available metadata reveals that LockBit5 maintains its aggressive positioning in the global cybercrime landscape. Data certified on the Polygon blockchain allows for a precise timeline of this incident, offering unprecedented transparency in a traditionally opaque field. This attack against an organization of this size demonstrates the collective's ability to target complex and highly secure infrastructures.

The XC SIGNAL level indicates a detected exposure, but the extent of it is still being assessed by our analytical systems. Unlike the MINIMAL, PARTIAL, or FULL levels, which precisely quantify the volume of compromised files, the SIGNAL status signals an active claim requiring close monitoring. This classification allows security teams to prioritize their response while awaiting more concrete information on the exact nature of the affected digital assets.

LockBit5 represents the latest evolution of a particularly prolific and adaptive ransomware franchise. Operating on a Ransomware-as-a-Service (RaaS) model, this cybercriminal collective provides its malicious infrastructure to affiliates who conduct on-the-ground intrusions, subsequently sharing the ransom profits. This decentralized structure significantly complicates attribution and dismantling efforts by authorities.

The group follows in the footsteps of previous LockBit iterations, known for their technical sophistication and operational aggressiveness. Our threat intelligence experts' analyses reveal that LockBit5 maintains an arsenal of proven tactics, techniques, and procedures (TTPs): exploitation of zero-day vulnerabilities, compromise of privileged accounts, stealthy lateral movement, and mass exfiltration before encryption. Their signature is double extortion: encryption of systems AND the threat of publishing the stolen data.

Active in 2025, LockBit5 pursues an opportunistic targeting strategy, striking SMEs and multinationals alike. Their previous victims span all critical sectors: healthcare, finance, manufacturing, and now hospitality. The collective maintains a dedicated leak site on the dark web where they progressively publish the files of organizations refusing to pay, thus maximizing psychological and reputational pressure.

Their modus operandi favors classic initial attack vectors: sophisticated phishing emails, exploitation of poorly secured RDP services, and compromise of the software supply chain. Once initial access is gained, LockBit5 affiliates deploy network reconnaissance tools, escalate their privileges, and establish persistence mechanisms before exfiltration. Final encryption typically occurs during weekends or periods of low activity to maximize impact.

→ Full Analysis of the LockBit5 Group

Marriott International has been a cornerstone of the global hospitality industry for nearly a century. Founded in 1927, the company has grown from a modest root beer stand in Washington, D.C., into a hotel empire that now manages more than 8,000 properties in 139 countries and territories. Its portfolio of prestigious brands—Ritz-Carlton, St. Regis, W Hotels, Sheraton, and Westin—positions marriott.com as a leading authority in the hospitality sector.

With over 120,000 employees and $20.97 billion in revenue, the American organization handles millions of sensitive transactions daily. Its IT systems process reservations, credit card payments, loyalty programs (Marriott Bonvoy boasts over 180 million members), biometric data at some properties, and information about customers' personal preferences. This massive concentration of personal and financial information makes Marriott a prime target for malicious actors.

Marriott.com's technological infrastructure relies on interconnected property management systems (PMS), online booking platforms, mobile applications, and globally distributed point-of-sale networks. This architectural complexity, necessary for operating on an international scale, multiplies the potential attack surfaces. Each hotel represents a possible entry point to the central corporate network, creating considerable security challenges.

Unfortunately, the company is no stranger to major cybersecurity incidents. In 2018, Marriott revealed a massive breach of its Starwood database (acquired in 2016), affecting the personal information of 500 million customers over four years. This historic breach resulted in significant regulatory fines and lasting reputational damage. The recurrence of these incidents raises questions about the effectiveness of post-2018 security investments.

→ Other attacks in the Hospitality sector

The XC SIGNAL status assigned to this compromise indicates an active claim by LockBit5 without immediate confirmation of the exact volume of exfiltrated files. Our XC-Classify analysis systems, based on NIST incident classification methodologies, continuously monitor the group's communication channels to update this assessment. The data suggests that the attackers potentially accessed customer and reservation management systems, critical areas containing names, addresses, passport numbers, bank details, and stay histories.

An examination of the demands published by LockBit5 on their dark web infrastructure reveals an explicit mention of marriott.com dated December 7, 2025. Cybercriminals typically follow a phased release schedule: initial announcement, evidence samples, and then gradual disclosure if the ransom is not paid. At this stage, the absence of publicly accessible files could indicate either ongoing negotiations or a grace period before escalation.

Likely attack vectors against an organization of this size include compromising administrator accounts via credential stuffing or targeted phishing, exploiting unpatched vulnerabilities in third-party PMS systems, or infiltration through a managed service provider. The interconnectedness of Marriott's 8,000+ properties creates multiple opportunities for discreet lateral movement once initial access is established. LockBit5 affiliates typically favor extended reconnaissance periods (several weeks) to map the environment before exfiltration.

Conclusion

The likely timeline of the incident suggests an initial intrusion that occurred several weeks before the December 7th claim. Malicious actors likely established multiple points of persistence, escalated privileges to administrator domain accounts, and identified the most sensitive databases. The mass exfiltration would have preceded the ransomware deployment by a few days, following the classic double extortion playbook. Marriott's security teams likely detected the malicious activity during encryption or through alerts for abnormal data transfers.