Scattered Spider Suspect Nabbed for MGM Ransomware Attack

In September 2023, ransomware attacks struck MGM Resorts International and Caesars Entertainment within days of one another. Scattered Spider, using ALPHV ransomware, was the suspected group behind the attacks.  

Coordinated law enforcement action led to the arrest this week of a 17-year-old boy in Walsall, a town in England. And this is not the first Scattered Spider arrest made this year. How much progress is being made in the fight against ransomware groups?  

Scattered Spider Arrests 

The Regional Organised Crime Unit for the West Midlands (ROCUWM), the UK’s National Crime Agency, and the Federal Bureau of Investigation (FBI) worked together to coordinate the arrest of the 17-year-old suspect in the ransomware attack on MGM Resorts International, according to the West Midlands Police. The arrest was a part of a global investigation of cybercrime groups.  

This arrest is one in a recent series of law enforcement actions taken against individuals connected to Scattered Spider. In June, Spanish authorities arrested a 22-year-old suspected of being a group leader, and in January a 19-year-old linked to the ransomware group was arrested in Florida.  

The consequences for those arrested, including a minor, are not yet known.  

While individual arrests can feel like a drop in the vast bucket of cybercrime, it is possible that they can provide law enforcement with more means to act.  

Related:CrowdStrike Aftermath: Lessons Learned for Future Recovery

“It's not just the individual. It is how much intelligence they collect, what do they know, and what information can be gained from their computer, their network, their knowledge of how the network operates,” Michael McPherson, senior vice president of security operations at cybersecurity company ReliaQuest, tells InformationWeek.  

Chipping Away at Ransomware Groups 

The ransomware attack on MGM took place in September 2023, and the arrest of the latest Scattered Spider suspect happened in July of this year. The timeline can feel long, but the coordination across various agencies and countries is a heavy lift.  

“It never comes as fast as anybody likes, but I think it's a continued, steady drum bet,” says McPherson.  

To compound the challenges of coordination, individuals involved in ransomware are often beyond the reach of law enforcement in Western countries. They can operate in countries such as Russia that do not have extradition agreements with the US or the UK.  

As law enforcement ramps up pressure against ransomware groups, it is possible that the individuals involved will simply scatter and rebrand. The people working under the Scattered Spider banner may simply pause their activities and resurface under a different name.  

Related:To Catch a Cybercriminal -- and the Fallout That Follows

“There's not gonna be a banner at the end of this saying, ‘Mission accomplished against cybercrime,’” says McPherson. “Increasing the risk and consequences so people cannot act with impunity, I think is the level where we need to be.” 

An Ongoing War 

While law enforcement action may deter some people, ransomware continues to be a lucrative business that will attract threat actors. And the consequences of their ongoing attacks are not just financial.  

“These ransomware groups are legitimately killing people in hospitals in the US right now. And until we start to focus way more attention on what we can do to balance this out, it's just going to get worse and worse, day after day like it has the last three, four, five years,” says Jon Miller, CEO and cofounder of Halcyon, an anti-ransomware and cyber resilience platform. 

Law enforcement is not the only stakeholder in this ongoing battle. The organizations targeted by ransomware groups very much have skin in the game and roles to play in fighting back.  

McPherson emphasizes the importance of information sharing. “Time is the enemy in cybersecurity. The longer we wait to share information, the more stale it becomes, the more useless it becomes. The quicker we can act together, the quicker we can respond to fortify others,” he argues.  

Related:What Are the Biggest Lessons from the MGM Ransomware Attack?

Building relationships with law enforcement before a cyberattack happens can be an important step toward information sharing. The FBI has field offices dedicated to specific ransomware groups that can help victims when they have been hit, Miller points out. But scrambling to find out how to get in touch in the wake of an attack wastes valuable time. 

“I still talk to industry leaders that don't know who their point of contact would be,” McPherson tells InformationWeek.  

The attacks on MGM and Caesars highlight one of the most difficult decisions enterprises face when becoming victims of ransomware: To pay or not?

MGM did not pay a ransom, while Caesars paid $15 million. The stakes for enterprises that suffer ransomware demands include the risk of mounting losses when made unable to operate and access systems. But multimillion dollar payouts are a massive incentive for ransomware groups to continue finding victims.  

“It'll take people [making] the bold effort that MGM did to stand up and not pay knowing that there's going to be some consequences to not paying,” says McPherson.  

It is possible for enterprises with even the most sophisticated cybersecurity tools and strategies to fall prey to ransomware gangs such as Scattered Spider. It is essential to not only shore up defenses but also to find ways to be resilient.  

“Look at that worst-case scenario, ‘How do I get my network back up and online in minutes or hours instead of days or weeks?’” says Miller.