What Are the Biggest Lessons from the MGM Ransomware Attack?

On Sept. 11, MGM Resorts International posted news of a cybersecurity issue on X (formerly Twitter). In the following days, the incident became clearer -- MGM Resorts International, a hospitality company that owns 31 hotels and casinos around the world, was the victim of a ransomware attack.

The company filed an 8-k form giving a brief statement echoing its initial words on X. Over the next several days, the company released updates on X, giving assurances that it was working through the incident and striving to give guests access to its services.

What can cybersecurity leaders and other enterprise stakeholders learn from this high-profile ransomware attack?

Social Engineering Is an Effective Tactic

On Sept. 12, vx-underground, a collection of malware source code and platform for information exchange, attributed the attack to ransomware group ALPHV, also known as Black Cat. In an X post, it notes that the group gained access simply by finding an employee on LinkedIn and calling the help desk.

This tactic is known as voice phishing or vishing. Attackers can use vishing to “ … get the two-factor authentication for those accounts so they can get into their corporate infrastructure and move laterally from there,” Justin Albrecht, global director of mobile threat intelligence at data protection and cloud security platform Lookout, tells InformationWeek in a phone interview.

Related:What Cybersecurity Gets Wrong

“Based on their TTPs [tactics, techniques and procedures] and the way we know that they operate, that's a very typical way for that to get into organizations and probably what they used here,” he adds.

Scattered Spider goes by other names, including Oktapus and Scatter Swine. The group has had previous and sweeping success using social engineering tactics. In 2022, Oktapus was linked to the social engineering attack that targeted Twilio and Cloudflare. The attack netted approximately 10,000 sets of Okta credentials with a ripple effect that swept up more than 130 other organizations into the attack. The group used ALPHV ransomware in the MGM attack.

Threat Actors Are Embracing Professionalism

Ransomware groups increasingly focus on branding and reputation, according to Ferhat Dikbiyik, head of research at third-party risk management software company Black Kite. “When ransomware first made its appearance, the attacks were relatively unsophisticated. Over the years, we have observed a marked elevation in their capabilities and tactics,” he tells InformationWeek in a phone interview.

The collaboration between groups like Scattered Spider and ALPHV is an indication of this increased professionalism. Furthermore, ALPHV released a released a statement detailing its access to MGM’s systems on Sept. 14.

Related:Tesla Insider Data Breach Exposed Over 75,000

In the statement, the group takes umbrage to rumors about its actions and the people behind its attack. “We did not attempt to tamper with MGM’s slot machines to spit out money because doing so would not be to our benefit and would decrease the chances of any sort of deal.”

The group also called out: “The rumors about teenagers from the US and UK breaking into this organization are still just that -- rumors. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it.”

Dikbiyik also notes that ransomware groups’ more nuanced selection of targets is an indication of increased professionalism. “These groups are doing their homework. They have resources. They acquire intelligence tools…they try to learn their targets,” he says.

While ransomware is lucrative, money isn’t the only goal. Selecting high-profile targets, such as MGM, helps these groups to build a reputation, according to Dikbiyik.

The Fallout from a Ransomware Attack Is Expensive

The immediate impact the cyberattack had on MGM’s operations was significant. In its statement, ALPHV claims MGM shut down its Okta Sync servers when it discovered the group’s presence. But the threat actor retained administrator privileges. After waiting a day, the group launched ransomware attacks, according to the statement.

Related:US Probes Microsoft Email Breach, Cloud Security

In the days following the attack, various parts of MGM’s operations were offline. Bloomberg reported that digital keys for hotel rooms and slot machines did not work. This kind of downtime is expensive. Potential third-party litigation and investment in more cybersecurity controls could also play a role in mounting expenses.

Additionally, the cyberattack could impact the company’s credit rating. “Moody’s issued a statement that this cyber event could cause a downgrade to MGM’s credit rating, which I consider reputational harm as it could impact MGM’s ability to borrow,” Allen Blount, national cyber and technology product leader for brokerage and consulting firm Risk Strategies, shares via email.

Customer dissatisfaction with the company’s scramble to get back to normal operations could play into reputational harm as well. “We saw this play out through social media as many MGM customers posted their displeasure on X and Instagram. Those customers may decide not to attend another MGM location,” says Blount.

While the costs are adding up for MGM, it seems that a ransomware payment will not be added to the list at this point. ALPHV noted in its statement: “We believe MGM will not agree to deal with us.”

Caesars Entertainment, another hotel and casino company, was the victim of a social engineering attack just days before MGM. “On September 7, 2023, we determined that the unauthorized actor acquired a copy of, among other data, our loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database,” according to its 8-k. Caesars paid $15 million, according to CNBC. Bloomberg reports that the same threat actors were behind the Caesars and MGM attacks.

If MGM ultimately does not pay, it will need to consider what data the threat actors exfiltrated and what will be exposed or sold.

Ransomware Attacks Are Likely to Continue

Ransomware profit declined in 2022, but that doesn’t mean threat actors are going to abandon these attacks. The billions made from ransomware payments thus far are a significant motivator to continue searching for new victims to extort. “This has attracted more organized and skilled actors to the field, turning what might have been amateur or small-time hackers into sophisticated and structured organizations,” says Dikbiyik.

Plus, the increasing availability of ransomware-as-a-service enables relatively unskilled threat actors to launch these kinds of attacks.

With more ransomware attacks on the horizon, enterprises need to consider their own vulnerability and how to reduce risk. Albrecht emphasizes the importance of preparing for an attack. “You need to be able to counteract … these social engineering attacks using technical processes and tooling in addition to training for employees,” he says.