On September 11, MGM Resorts International released news of a cybersecurity problem on X (formerly Twitter). In the following days, the incident became clearer: MGM Resorts International, a hotel company that owns 31 hotels and casinos around the world, has been the victim of a ransomware attack.
The company filed a Form 8-k making a brief statement echoing its first words on X. Over the next few days, the company released updates on to access its services.
What can cybersecurity leaders and other business stakeholders learn from this high-profile ransomware attack?
Social engineering is an effective tactic
On September 12, vx-underground, a malware source code collection and information exchange platform, attributed the attack to the ALPHV ransomware group, also known as Black Cat. In an X posthe notes that the group gained access simply by finding an employee on LinkedIn and calling the help desk.
This tactic is known as voice phishing or vishing. Attackers can use vishing to “…get two-factor authentication for these accounts so they can access their company’s infrastructure and move laterally from there,” Justin Albrecht, Global Director of Business Intelligence mobile threats at the cloud data protection and security platform. Attentiontells InformationWeek in a telephone interview.
“Based on their TTPs (tactics, techniques and procedures) and the way we know they operate, this is a very typical way for that to get into organizations and probably what they used here », he adds.
Scattered Spider goes by other names, including Oktapus and Scatter Swine. The group has already seen massive success using social engineering tactics. In 2022, Oktapus was associated with the social engineering project attack that targeted Twilio and Cloudflare. The attack resulted in the recovery of approximately 10,000 sets of Okta credentials, with a ripple effect that brought more than 130 other organizations into the attack. The group used ALPHV ransomware in the MGM attack.
Threat actors demonstrate professionalism
Ransomware groups are increasingly focusing on branding and reputation, according to Ferhat Dikbiyik, head of research at a third-party risk management software company. Black kite. “When ransomware first emerged, the attacks were relatively simple. Over the years, we have seen a clear rise in their capabilities and tactics,” he told InformationWeek in a telephone interview.
The collaboration between groups like Scattered Spider and ALPHV is an indication of this increased professionalism. In addition, ALPHV issued a press release statement detailing his access to MGM’s systems on September 14.
In the statement, the group takes umbrage at rumors about its actions and the people behind its attack. “We did not attempt to manipulate MGM’s slot machines to cough up money, as that would not be to our advantage and would reduce the chances of closing a deal.”
The group also said: “The rumors that teenagers from the US and UK are breaking into this organization are still just rumors. We’re waiting for those seemingly respected cybersecurity companies that continue to make this claim to start providing solid evidence to support it.
Dikbiyik also notes that ransomware groups’ more nuanced selection of targets is an indication of increased professionalism. “These groups are doing their homework. They have resources. They acquire intelligence tools… they try to know their targets,” he says.
Although ransomware is lucrative, money is not the only goal. Selecting high-profile targets, such as MGM, helps these groups build a reputation, according to Dikbiyik.
The consequences of a ransomware attack are costly
The immediate impact of the cyberattack on MGM’s operations was significant. In its statement, ALPHV claims that MGM shut down its Okta Sync servers when it discovered the group’s presence. But the threat actor retained administrator privileges. After waiting a day, the group launched ransomware attacks, according to the statement.
In the days following the attack, various parts of MGM’s operations were offline. Bloomberg reported that digital keys for hotel rooms and slot machines did not work. This type of downtime is expensive. Potential third-party litigation and investments in more cybersecurity controls could also play a role in increased spending.
Additionally, the cyberattack could impact the company’s credit rating. “Moody’s issued a statement that this cyber event could result in a downgrade to MGM’s credit rating“, which I consider reputational damage because it could impact MGM’s borrowing capacity,” Allen Blount, national cyber and technology product manager for a brokerage and consulting firm. Risk strategiessharing by email.
Customer dissatisfaction with the company’s efforts to return to normal operations could also damage its reputation. “We saw this manifest on social media as many MGM customers expressed their displeasure on X and Instagram. These customers may decide not to go to another MGM location,” Blount explains.
While the costs are adding up for MGM, it appears a ransomware payment is not being added to the list at this point. ALPHV noted in its statement: “We believe that MGM will not agree to do business with us. »
Caesars Entertainment, another hotel and casino company, was the victim of a social engineering attack just days before MGM. “On September 7, 2023, we determined that the unauthorized actor had acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or security numbers social status of a significant number of members of the database”, according to its 8-k. Caesars paid 15 million dollars, according to CNBC. Bloomberg reports that the same threatening actors were behind the attacks by the Caesars and MGM.
If MGM ultimately doesn’t pay, it will have to examine what data bad actors exfiltrated and what data will be exposed or sold.
Ransomware attacks likely to continue
Benefit of ransomware decreased in 2022, but that doesn’t mean threat actors will give up on these attacks. The billions generated so far from ransomware payments provide significant motivation to continue searching for new victims to extort. “This attracted more organized and knowledgeable players to this field, transforming what might have been amateur or small-scale hackers into sophisticated and structured organizations,” says Dikbiyik.
Additionally, the increasing availability of ransomware-as-a-service allows relatively unskilled malicious actors to launch these types of attacks.
With more ransomware attacks on the horizon, businesses need to think about their own vulnerability and ways to reduce risk. Albrecht emphasizes the importance of preparing for an attack. “You need to be able to thwart…these social engineering attacks using technical processes and tools in addition to employee training,” he says.
