Titans in crisis: unraveling the MGM and Caesars ransomware timeline


MGM Resorts International and Caesars Entertainment made headlines in Las Vegas, stealing the spotlight in 2023 as the new poster child for corporate ransomware attack victims. How did this incident unfold, who is responsible, and what are the future implications?

The cyber gang claiming to be behind the attack – ALPHV/BlackCat – shows no sign of slowing down. RansomLooker, a new Cybernews tool monitoring the dark web, indicates that the crooks recently listed a German boutique hotel chain as its latest ransom victim and is among the top three most active ransomware gangs out there, sowing panic across a multitude of industries.

Five most active ransomware gangs
ADVERTISEMENT

Now, MGM has revealed that the September 11 attack will result in a $100 million dollar loss for the 3rd quarter alone – proving how just one employee mishap can shut down an entire hospitality conglomerate for nearly a week and cost a company millions.

In fact, studies show that human error is the root cause of more than 80% of all cyber breaches.

To highlight the growing threat and help companies to better prepare for it, Cybernews is taking you through the MGM and Caesars ransomware attacks step by step, highlighting the most memorable moments and lessons to be learned along the way.

Overture: Cliff Notes summary

Las Vegas hospitality and gambling giants MGM Resorts and Caesars Entertainment both fell victim to a massive cyberattack ransom attack last month, with MGM operations across 31 resorts severely impacted because of the incident.

Caesars was said to have paid millions in ransom to avoid the same fate as its counterpart, and as nothing happens in a vacuum, Cybernews will address both attacks in this timeline deconstruction.

In the days following the MGM attack, social media was smattered with video clips and images of empty and cashless casino floors, out-of-order slot machines, snaking lines of frustrated guests winding through hotel lobbies at all hours, and massive security concerns as room key cards became inoperable allowing guests to freely traverse endless hallways of unlocked rooms.

Two known ransomware gangs took responsibility for the cyber carnage – the notorious Russian-linked ALPHV/BlackCat (ALPHV) and the lesser-known Scattered Spider. The attacks were carried out using a simple but effective social engineering method known as vishing.

ADVERTISEMENT

As aptly phrased by our dark web monitoring counterparts at VX Underground, a $34 billion-valued company was defeated by a 10-minute conversation when an attacker successfully impersonated an MGM employee discovered on LinkedIn.

For large businesses, those costs may be a drop in the bucket, but for many small and mid-sized businesses, the financial and reputational ramifications from a cyberattack is to great.

Statistics have proven that nearly 60% of small businesses who suffer a major breach are forced to shut down within the same year.

RansomLooker MGM 5 facts
Image by Cybernews.

How the attacks unfolded

Sunday, August 27th

According to anonymous media sources, Scattered Spider, also known in the security industry as UNC3944, began targeting Caesars weeks before either attack was made public.

Thursday, September 7th

Caesars Entertainment quietly files a breach report with the US Securities and Exchange Commission (SEC), claiming it had “identified suspicious activity in its information technology network resulting from a social engineering attack on an outsourced IT support vendor used by the Company.”

In the filing, Caesars describes “quickly” activating their incident response plan, which included containment, remediation, notifying the proper authorities, and launching an investigation.

ADVERTISEMENT

Caesars’ investigation finds the attackers were able to access and exfiltrate a copy of the company’s guest loyalty program database, among other data. The database is said to include “driver’s license numbers and/or social security numbers for a significant number of members in the database.”

Although Caesars has not confirmed any ransom payment, the SEC report alludes to some sort of deal between Caesars and the threat actors.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars stated in the report.

There is still no official announcement that a breach has taken place.

Caesars also states in the report that operations for all physical properties, guest services, casinos, and online and mobile gaming apps were not impacted.

Sunday, September 10th

Local media begins to get wind of a possible MGM cyberattack.

It is reported that the FBI and the Nevada Gaming Control Board have been in contact with MGM since Sunday morning.

Monday, September 11th

MGM first posts a short statement about a “cybersecurity issue” on social media around 11:30 a.m. ET Monday morning.

ADVERTISEMENT

MGM states they have taken some of their systems offline and have launched an investigation into the nature and scope of the incident.

The websites of all 31 MGM resorts, the main MGM Resorts International, and its mobile rewards app are unavailable.

MGM cyberattack
The MGM Rewards app and MGM Grand website were unavailable on September 11, 2023. Image by Cybernews.

By Monday evening, rumors of Caesars being hit by a cyberattack first surface, including talk about a $30 million ransom paid to the attackers. Additionally, anonymous sources say the MGM attackers are also asking for a large ransom.

Social media users begin to report that slot machines and ATMs at MGM resorts on the Las Vegas strip are out of service, including MGM’s door lock monitoring system for all guest rooms.

The MGM Borgata in Atlantic City, New Jersey, reports issues on casino floors.

Tuesday, September 12th

The ALPHV/BlackCat ransom gang claims MGM as the victim. A method used to breach systems is identified – a voice-based phishing attack known as vishing.

MGM attacks are almost identical to the social engineering attacks on Caesars, also targeting a third-party IT help desk.

ADVERTISEMENT

All digital guest services remain down at the twelve MGM brand hotels on the Las Vegas strip.

Customers continue to take to social media to complain of deplorable conditions, such as raw sewage backing up in sinks, no hot water, and hours-long lines to speak with the front desk.

MGM cyberattack chaos water to wine

Wednesday, September 13th

Scattered Spider is now identified as the second hacker group involved in both attacks.

The group is thought to have gained access to MGM systems by impersonating an employee found on LinkedIn, and then convincing the IT help desk to reset the “employee’s” MGM password, a common tactic for the group who are known to be experts in crafted attacks.

The mostly English-speaking gang, with alternate names Scatter Swine, Roasted 0ktapus, and Storm-0875, are profiled to be between the ages of 17 and 21 years old and financially motivated, said Nick Hyatt, Senior Consultant at cybersecurity firm Optiv.

Threat intel researchers at Mandiant reported in mid-2023 that the group began to shift its tactics to include deploying ransomware in their attacks – in this case, ransomware by ALPHV.

For a cut of the ransom payout, ALPHV, a known ransomware-as-a-service operator, was most likely tasked with maneuvering through the MGM network to find and extract sensitive data, researchers say.

The Cybernews RansomLooker tool shows ALPHV/BlackCat as one of the top three active ransomware gangs in the world today, with a majority of those attacks in the United States.

Although the affiliate groups historically may share a similar toolset, these are two distinctly separate groups, said Hyatt.

ADVERTISEMENT

Thursday, September 14th

ALPHV posts a 1000+ word statement on its dark leak site to address the week-long rumor mill about which group was really behind the attacks.

The group claims it had successfully infiltrated MGM’s infrastructure the previous Friday (September 8th), but waited until Sunday to launch its ransomware attacks, mainly due to the lack of response from MGM engineers.

The group lashes out at those in the media for spreading false narratives about ALPHV “tampering with MGM slot machines to spit out cash” and 'insulting' the seasoned ransom gang by connecting it to novice groups.

ALPHV/BlackCat statement on MGM attack
ALPHV dark leak site

ALPHV also made a point in its statement that MGM took its systems offline even before it had launched the ransomware in the MGM systems, essentially chiding the resort conglomerate for its own self-imposed chaos.

Yet, in reality, MGM did exactly what it was supposed to do when a system has been breached and is still in the early stages of an attack, said Mantas Sasnauskas, Head of Security Research at Cybernews.

September 18th and on

Research reports continue to come in from different groups about the prevalence of attacks on the hospitality sector.

Luxury hotel chains and resorts are primary targets of several “active and ongoing” phishing campaigns dated within the last 60 days as of September 22nd.

85% of the campaigns target their victims with phishing emails containing malicious links, another form of a social engineering attack.

The report shows the emails are crafted to look like typical guest inquiries, such as booking requests, reservation changes, and special requirements.

Ransom gangs know practice makes perfect

Like any successful cyber kill chain framework, threat actors will initially compromise a target using ”reconnaissance and espionage,” said Sasnauskas.

Scattered Spider and ALPHV are no exception.

“In this case, it was a social engineering attack,” Sasnauskas explained. And in most cases, social engineering is the easiest way to get access.

“People do experiments to see how easy it is to get someone's account. There are numerous books about numerous techniques,” Sasnauskas says.

“Techniques like a sense of emergency, even a mother with a crying baby. To be honest, it’s really easy and the threat actors can get really good at it,” he added.

Even though the gang is relatively new (since 2022), its social engineering and spear phishing attacks are very sophisticated, said Steven Erwin, senior security consultant at TrustedSec.

“They are known for voice phishing helpdesks, call centers, and even security operations centers (SOCs) to gain initial access,” Erwin told Cybernews.

The group has also been labeled as “ruthless,” sometimes personally going after a company’s company’s C-suite with its advanced vishing skills, a tactic known as “SWATing.”

For example, the gang has been known to fake emergency service calls, tricking operators into sending armed police units to the homes of executives.

CEO David Bradbury of the San Francisco-based identity management firm Okta said his company had “consistently seen, over the past six to 12 months, a ramp up in these types of attacks."

In fact, five of Okta’s clients had fallen victim to Scattered Spider and ALPHV’s ‘help desk vish” in the month of August, many of the attacks targeting similar hospitality groups, say intel insiders.

ALPHV/BlackCat listed the German Motel One boutique hotel chain as its latest ransom victim on September 30th, the Cybernews’ RansomLooker tool indicates.

Madiant has logged more than 100 intrusions by Scattered Spider since it emerged on the scene two years ago, and Crowdstrike analysts have clocked 52 of Scattered Spider attacks since March.

One could easily assume that the successful vishing on Caesars only spurred the attackers to go after MGM, especially after the alleged $15m ransom demand was paid so quickly and without fuss.

How to prevent ransomware

All about perception

ALPHV's calculated approach to this entire affair raises some eye-opening questions, Ferhat Dikbiyik, head of research at Black Kite, told Cybernews.

“The group's detailed statement on the attack provides an almost surgical breakdown of MGM Resorts' security weaknesses…and pointed to a variety of technical vulnerabilities, specifically on ESXi servers,” Dikbiyik said.

“This isn't just a bunch of 'nerds doing things for fun'; ALPHV's statement exudes a sense of professionalism, almost as if they want to be perceived as a 'professional' ransomware group,” he said.

Modern ransomware groups like ALPHV are increasingly savvy and understand the power of perception and public opinion, says Dikbiyik.

It’s a way to make “their financial demands appear more reasonable,” he said.

And what about MGM’s perception over the past week?

It’s been a varied pot of ups and downs for MGM, depending on what entity is referencing the attack.

On September 22nd, MGM Resorts released a statement claiming that all its hotels and casinos are now “operating normally.”

But, for the 52,000 employees at MGM, things are not what they seem.

One worker claims that all MGM employees’ personal and banking info has been hacked, while information regarding schedules, vacation hours, 401K, and attendance points have all been wiped from the system.

“We have gotten ZERO answers about anything,” the worker stated.

As of Tuesday, October 3rd, all of the statements MGM released to the public over the past few weeks regarding the massive cyberattack have been wiped from MGM’s social media accounts.

Almost like it never happened.