Key Findings
The hospitality and recreation sector—encompassing industries such as arts, entertainment, and gambling—has increasingly drawn the attention of cybercriminals. Between September 1, 2024, and February 28, 2025, threat actors ramped up efforts to exploit this sector through spearphishing, impersonation campaigns, ransomware, and vulnerabilities in external remote services. These financially motivated attacks not only target sensitive customer data and operational systems but also threaten the sector’s reputation and business continuity. Let’s dive into the key findings from this period and explore how organizations in this sector can strengthen their defenses against rising cyber threats.
External Remote Service Exploits Grew by 5X
One of the most significant trends during the reporting period was a 433% surge in attacks targeting external remote services, such as VPNs, virtual desktop infrastructures (VDIs), and Remote Desktop Protocols (RDP). In January 2025, a large-scale brute-force campaign compromised nearly 2.8 million IP addresses and targeted vulnerabilities in edge devices like Palo Alto GlobalProtect and SonicWall NetExtender. This campaign was also reflected in a 45-fold increase in ReliaQuest customer brute-force alerts, highlighting the massive scale of these opportunistic attacks.
Figure 1: Top attack techniques in true-positive customer incidents for the hospitality and recreation sector compared to all sectors, September 1, 2024–February 28, 2025
Threat actors exploited stolen or brute-forced credentials, often obtained through phishing, data leaks, or purchased from Initial Access Brokers (IABs). The gambling subsector was hit hardest, followed by the music, media, and tourism industries. The hospitality and recreation sector’s reliance on remote-access technologies to support global operations and 24/7 availability makes it an enticing target. The misconfiguration or inadequate security of these technologies creates an open door for attackers.
To counter this threat, organizations should implement conditional access policies for remote services, enforce multifactor authentication (MFA), and deploy verbose logging to monitor suspicious activity. Proactively patching vulnerabilities and securing web applications with firewalls and secure coding practices are also crucial steps.
Credential Harvesters Drive Increased Impersonation Campaigns
Impersonation campaigns emerged as a leading tactic during the reporting period, with threat actors using fake domains and social media profiles to deceive customers and steal credentials. Nearly half of phishing emails targeting the sector (44%) contained credential harvesters—fake login pages designed to steal user credentials. Another 5% of phishing emails carried malware, often infostealers that extract saved credentials from browsers.
Figure 2: Top true-positive alerts for hospitality and recreation sector, February 1–August 31, 2024, vs September 1, 2024–February 28, 2025
The use of fake social media profiles to impersonate hospitality and recreation organizations has also become a prevalent threat. These fake accounts promote fraudulent offers like free event tickets or gambling top-ups, exploiting user trust and luring victims into phishing scams. While such schemes damage brand reputation and erode customer trust, they also pave the way for secondary attacks, such as business email compromise (BEC).
Fortunately, proactive efforts by organizations have led to a 12% decline in social media impersonation incidents. By using digital risk protection (DRP) tools to detect and remove fake profiles, registering similar domains to prevent abuse, and educating both customers and employees on recognizing phishing attempts, organizations can mitigate these risks.
Sector Sees 43% Growth in Ransomware from Fewer Groups
Ransomware attacks against the hospitality and recreation sector rose by 43% during the reporting period, with 109 victims listed on data-leak sites. Although the number of ransomware groups targeting the sector declined slightly, certain groups—such as Medusa, RansomHub, Play, and Akira—intensified their efforts.
Figure 3: Top ransomware groups targeting the hospitality and recreation sector, September 1, 2024–February 28, 2025
The sector’s reliance on intellectual property (IP) and donor data makes it particularly vulnerable. A breach leaking unfinished content, such as video game prototypes or film footage, can derail marketing campaigns and cause significant financial losses. Similarly, ransomware gangs often exploit donor data from museums and cultural institutions to launch “whaling” attacks on high-net-worth individuals.
One ransomware group, Akira, has demonstrated a specific focus on casinos. By targeting IoT devices such as smart slot machines and security cameras, Akira bypasses traditional endpoint detection and response (EDR) systems. This tactic has been effective in infiltrating networks, as seen in its attacks on Avi Resort & Casino and Black Oak Casino.
To defend against ransomware, organizations should secure VPNs, segment IoT networks, and block suspicious file-sharing domains. Automated responses, like isolating compromised hosts and banning malicious hashes, can also help contain and mitigate ransomware attacks before they escalate.
Cryptocurrency Draws Gamblers—and Attackers
As casinos and gambling platforms increasingly adopt cryptocurrency to attract customers seeking privacy and low transaction fees, they also expose themselves to heightened risks. Cryptocurrencies are difficult to trace, making them a prime target for theft. For example, in February 2025, North Korea’s Lazarus Group stole $1.46 billion from the Bybit exchange. Similar attacks on the hospitality and recreation sector are likely to grow as online gambling platforms embrace cryptocurrency.
Additionally, insider threats are becoming a growing concern, fueled by tensions surrounding AI adoption in creative industries. Employees displaced by AI-driven automation may become disgruntled and assist ransomware groups or leak sensitive data. In July 2024, an insider breach at Disney exposed 1.1TB of Slack data, showcasing the damage that insider threats can cause. As AI adoption continues, ideologically driven insider attacks are expected to rise.
Organizations can address these emerging threats by securing their payment systems, monitoring employee activity for suspicious behavior, and fostering a culture of transparency and communication to reduce insider risks.
Strengthening Cyber Resilience in Hospitality and Recreation
The hospitality and recreation sector’s visibility, reliance on IoT devices, and use of remote-access technologies make it an attractive target for cybercriminals. To stay resilient against evolving threats, organizations must adopt a multi-faceted approach to cybersecurity. This includes:
- Securing Remote Services: Enforce MFA, implement conditional access policies, and patch vulnerabilities in VPNs and RDPs.
- Combating Impersonation: Use DMARC, SPF, and DKIM to prevent domain spoofing, and deploy DRP tools to detect fake social media profiles.
- Defending Against Ransomware: Segment IoT networks, block suspicious domains, and implement automated response playbooks to contain threats.
- Addressing Emerging Risks: Secure cryptocurrency transactions and mitigate insider threats through robust monitoring and employee engagement.
By taking these proactive steps, the hospitality and recreation sector can better safeguard its operations, customer data, and reputation against the growing wave of cyber threats.
