On September 10, 2023, MGM Resorts succumbed to a ransomware attack by the infamous cyber gang ScatteredSpyder, a BlackCat (also known as ALPHV, Noberus) ransomware-as-a-service affiliate.
Over the past five days, customers of MGM properties—including Bellagio, the Cosmopolitan, Luxor, Mandalay Bay Resort and Casino, MGM Grand, New York-New York, and other properties across the U.S.—have all experienced outages of varying degrees. On September 12, while customers were tweeting that MGM casino and hotel property’s technology was still inoperable, the malware research collective VX-Underground reported that MGM was a BlackCat affiliate victim.
ScatteredSypder claimed it socially engineered the MGM helpdesk by impersonating an IT employee using the information gleaned from their LinkedIn profile. Ironically, two hacker conferences, Black Hat and DEF CON, were held just weeks before at Mandalay Bay. One could almost imagine ScatteredSpyder thinking it would be bad karma to attack these hotels during the world’s preeminent hacker conference.
BlackCat’s Ransomware-as-a-Service emerged in November 2021. Blackcat’s specialty is a double extortion approach with countermeasures to avoid detection and threat hunters. After wreaking havoc on dozens of organizations, the FBI released a flash report on April 22, 2022, detailing the indicators of compromise associated with this ransomware-as-a-service.
BlackCat operates like an advanced software design firm by releasing named products (e.g., Sphynx), programming in Rust, and providing product documentation and release notes. BlackCat’s ability to morph its tradecraft and weapons of attack into increasingly stealthy methods has attracted affiliates like ScatteredSpyder.
Two weeks before the MGM attack, Caeser’s experienced a social engineering attack by ScatteredSpider on an outsourced IT support vendor. The Wall Street Journal reported that Caesars paid half the requested US$30 million ransom to continue operations. MGM refused to pay, opting to switch to manual processes for ten days. The Financial Times reported that ScatteredSpyder allegedly breached the security at MGM’s casinos, originally planning to manipulate the slot machines’ software and recruit mules to gamble and milk them. When that failed, they reverted to a ransomware attack as they had been in the system for five days.
Now, back to the central question: Did one casino paying ransom lead to another being attacked? This analyst believes that to be true. Ransomware operators have economic models targeting certain industries, such as healthcare. Why? They always pay. Around this attack, three additional casinos were hit by ransomware attacks. Casinos are now on ransomware operators’ radar.
This attack underscores the need for cyber resilience, incident response planning, cyber hygiene, and a board-level understanding of crisis management. But in this case, humans let the ransomware operators in. To learn how to harden humans against attacks, check out Datos Insights’ report by my colleague John Keddy, Ransomware: Harden the Humans, Not Just the Infrastructure, March 2023.