MGM cyberattack claimed by ALPHV/BlackCat ransom gang
New information has surfaced claiming the ALPHV/BlackCat ransomware group is responsible for Monday’s debilitating cyberattack on MGM Resorts International. With rumors about a large ransom payment swirling, some insiders say the Las Vegas-based firm may not even be able to pay its employees come Friday.
According to a post Tuesday night by the malware repository vx-underground, the ransom gang was able to breach the entertainment and hospitality giant through a social engineering attack.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” vx-underground posted on X (formally known as Twitter).
“A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” the post said.
Casinos are both repositories of "substantial wealth and vast volumes of personal and financial data" that leave little room for operational downtime, said Chris Denbigh-White, Chief Security Officer for Next DLP.
This "renders them exceptionally enticing prey for cyber-criminal syndicates on the hunt for financial gain," Denbigh-White said.
According to vx-underground, the threat actors themselves have claimed responsibility, although at the time of writing this article ALPHV/BlackCat has made no mention of the attack on its dark leak pages.
Monday’s cyberattack forced the MGM hospitality group to shut down the company’s network systems, leaving guest rooms inaccessible, digital room keys invalid, slot machines out of order, ATMs inoperable, and casino floors empty.
Moreover, the websites of all 31 MGM resorts, including the dozen located directly on the Las Vegas strip, have also been down since Monday, as well as the company's mobile rewards app, leaving front desk staff scrambling to accommodate cranky guests who have been steadily posting on social media throughout the ordeal.
MGM Resorts' sweeping response involving the shutdown of a substantial segment of its infrastructure can be likened to a “nuclear option,” Denbigh-White said. And one which will most certainly "affect its near-term revenue-generating capabilities indisputably.” he added.
One of the more alarming aspects of the attack was how it messed with the casino's slot machines, said David Mound Senior Penetration Tester at SecurityScorecard. .
“Slot machines are usually on a segregated network, so it's not clear if they were taken down as a precaution or if somehow the attackers have managed to traverse across into it, Mound said.
“This really drives home the point that cyber attacks can throw a wrench into the most crucial parts of a business, potentially causing massive financial setbacks,” he said.
Although by late Monday night, MGM had claimed that services such as dining, entertainment, and gaming were operational, the scene at the MGM Bellagio Tuesday night was a whole other story, as queues for the front desk were shown to have been backed up for hours by around 7 p.m. CT.
Apparently, the same scene is being reported at other MGM resorts, in Las Vegas as well.
Ironically, the cyberattack took place just weeks after the two largest cybersecurity and hacker events in the world – Black Hat and DEF CON – descended on Vegas without a hitch.
Meantime, security insiders have been debating how the threat actors were able to compromise the massive hotel and casino conglomerate and whether a ransom will eventually be paid.
Vx-underground and others agree. The former said: "This particular subgroup of ALPHV ransomware has established a reputation of being remarkably gifted at social engineering for initial access."
X user @EvilSecOfficial said "I called ALPHV being responsible... sadly."
"Vishing [voice or call-based phishing] is surprisingly easy right now in terms of people not caring in cyber. Employees are so burnt out and organizations are loading up work combined with alert fatigue... makes things extremely easy," they said.
Cybersecurity professional and X user @BrandonDague said "Idk [sic] why people are acting like this can't happen. As a social engineer myself who has done vishing attacks for security assessments... I can't tell you how many times I got my target information by just talking to IT using personas I used from LinkedIn."
In other developments, @LasVegasLocally, a user who has been regularly posting on X with MGM insider information since the breach, said Tuesday night that "MGM Resorts execs are worried the company won't be able to pay employees on Friday."
Monday, social media rumors were also spreading about fellow Las Vegas resort, Caesars Palace, and its own brush with ransomware. The story being told is that the hotel and casino were also compromised by threat actors the previous week, and the company chose to quietly pay a $30 million ransom to the attackers, mainly to "avoid the problems MGM is experiencing."
The MGM incident underscores a universal truth—namely, that the calculus of cyber risk knows no industry bounds, Denbigh-White explained.
"The profound implications of this breach reverberate well beyond the casino walls, resonating as a stark reminder to senior leadership teams across sectors that the pursuit of resilience, protection of data, and the preservation of digital trust are mandates of our digital age, Denbigh-White said.
Cybernews has reached out to MGM, and is still awaiting a response.
Who is ALPHV/BlackCat ransomware?
While MGM continued to struggle with its recovery Tuesday, at about 5 p.m. ET, ALPHV/BlackCat was busy posting a full 2.5TB of stolen data from another one of its alleged victims, the Semiconductor manufacturer Seiko, whose attack was made public in August.
The ALPHV/BlackCat ransomware gang has been around since 2021.
Operating as a ransomware-as-a-service (RaaS) model, the gang is known for its use of the Rust programming language.
According to a Microsoft research profile, ALPHV/BlackCat is also known to have worked closely with other ransomware groups such as Conti, LockBit, and REvil, as well as having links to the Darkside and Blackmatter cybercriminal cartels.
According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.
In mid-May, the gang said it had breached Mazars Group, an international audit, accounting, and consulting firm.
The group is currently known to be using a more sophisticated ransomware variant known as Sphinx .
Cybernews will follow the story.