Lessons Learned from the MGM Ransomware Attack 

Here we go again. Another major corporation has been victimized by a crippling ransomware attack that has disrupted customer service and cost the business incalculable damage to its reputation – and to its bottom line. And no fancy AI was involved, either. Hackers pulled off a malicious attack using one of the oldest techniques in the book. This time, the victim was MGM Resorts, which owns 31 casinos such as the Bellagio, Excaliber, and the Luxor in Las Vegas. The company’s IT systems were breached by a social engineering hack. In an instant, Sin City was turned into Panic City. What happened, and what can businesses learn from this? 

The Extent of the MGM Ransomware Attack 

As of this writing, the Bellagio, Excaliber, Luxor, and possibly more hotels have been brought to a standstill. MGM said that the a cyberattack represents a material risk to the company. The company’s corporate email, restaurant reservation and hotel booking systems remain offline as a result of the attack, as do digital room keys. The credit rating agency Moody’s warned that the cyberattack could negatively affect MGM’s credit rating, saying the attack highlighted “key risks” within the company. Frustrated guests of MGM hotels have posted videos on TikTok showing long lines of customers trying to check in and out of their rooms. Casino gambling, the mainstay cash cow of Las Vegas, has been disrupted at affected resorts. Employees are now fearful that they will not be paid on Friday and due to the company’s size. 

MGM Resorts reported that brought in about $25 million per day in the third quarter of 2022, meaning the hotel is likely losing millions each day with the outages affecting dozens of slot machines and other resort functions. 

How the Ransomware Attack Happened 

How did this happen? Reportedly, The MGM cyberattack was a social engineering attack. An affiliate of the Black Cat/AlphV ransomware gang was behind the attack. A notable affiliate of the gang, known by researchers as Scattered Spider or 0ktapus, reportedly told vx-underground directly that they gained access to MGM’s systems by searching for employees on LinkedIn and spoofing the IT help desk in a 10-minute conversation. (Reuters spoke to two sources that confirmed Scattered Spider was behind the incident.) Crucially, they timed the attack on the weekend when hotel IT systems are most vulnerable. The MGM attack is reportedly by the same group that targeted Caesars Entertainment. Caesars reportedly paid a ransom of tens of millions of dollars to hackers who attacked its systems in late August.  

Members of the group spoke to the Financial Times and TechCrunch this week, claiming their original goal was to attack MGM’s slot machines only and use paid mules to slowly milk the devices. But when that failed, they turned to their tried-and-true methods of attack, eventually encrypting the company’s systems. According to Telegram conversations with both outlets, the hackers were able to exploit remote login software and leaked VPN account information from MGM employees to move throughout the company’s system. 

What Businesses Can Do 

What can businesses take away from this incident? Plenty: 

• First off, if you are reading this post, realize that your business is vulnerable to a ransomware attack. No one is free from the reach of bad actors. So, what are you doing to protect yourself? 

• Businesses can make themselves less vulnerable, just like someone who locks their doors to their home and uses a security system. Those measures won’t make you completely safe, but they’ll compel a hacker to move on and attack someone who is more vulnerable.  

• Businesses need to take a proactive approach to keeping their technology up to date as one key measure. A source from the cybersecurity industry told Recorded Future News that MGM Resorts’ Microsoft Exchange Servers are “highly outdated and vulnerable to probably every vulnerability since 2021.” 

• It’s essential that businesses stay up to date on the techniques that bad actors use, such as social engineering, phishing, prompt injection hacking, and IoT breaches. (One recent casino hack involved an internet-connected fish tank.) 

• Businesses need to educate employees continuously – not once, but several times – on the techniques that hackers use, including social engineering to fool employees into giving away personal data. My recently published blog post on how to improve security awareness across the company gets into more detail.  

A few months ago, Royal Mail was affected by ransomware (by LockBit, a ransomware group linked to Russian crime gangs), and its international services were affected for more than a month. Now, it’s MGM. So, consider these incidents to be wake-up calls. Be proactive about keeping your IT systems up to date. Educate your employees. Be vigilant. 

Our recently published white paper on cybersecurity, privacy, and accessibility contains more insight in our thinking on safeguarding your digital estate. In addition, the IDX on-demand hosting platform is built from the ground up with security and data protection by design. Our cyber threat prevention system offers complete DDoS protection and malicious traffic analysis and prevention and underpins every website we build. Combined with the atomized modular architecture of the Connect.ID CMS platform, we can deploy beautifully designed and highly performant websites with as little as two weeks from ideation to build. Contact us to learn how we can protect you.