Ransomware strikes MGM. Here’s what we know.

Over the last few weeks, hackers have broken into IT systems at MGM Resorts International and Caesars Entertainment, two of the biggest casino conglomerates in the world.

The MGM hack was particularly impactful, according to the analysis of cybersecurity experts and information leaked by the hackers themselves. MGM runs more than 25 international hotel and casino locations, along with lucrative online sports betting operations. After the initial report of a cybersecurity incident on September 11, guests reported problems with everything from digital hotel room keys to slot machines to receipts for winnings. As usual, data protection specialists worried that stolen customer information could also be sold on the dark web.

A hacking organization called Scattered Spider claimed responsibility for both the MGM breach and a subsequent one at Caesars. The hackers deployed ransomware created by ALPHV, or BlackCat, a shadowy collective known for providing ransomware-as-a-service. Scattered Spider said that one of its hackers used “vishing,” or voice-based social engineering attacks conducted over the phone, to gain access to data. Then, the data was encrypted before the hackers issued an extortion requiring a ransom payment for its return.

According to industry experts, Scattered Spider’s members are young and fluent in English, making their vishing attempts that much more convincing. In this case, it appears that hackers scraped social media for an employee’s information, and then impersonated them in a call to obtain credentials to access and infect the systems. Representatives claiming to be from Scattered Spider said this was their backup plan—the group initially wanted to break into MGM’s slot machines but were stymied by IT protections.

While MGM opted not to pay the hackers for the return of its stolen data, Caesars decided to pay millions of dollars in ransom. Caesars admitted to the breach and the payment in a required filing to the U.S. Securities and Exchange Commission, which claimed that the company was a victim of a “social engineering attack” that resulted in the theft of private information about members of its customer loyalty program.

Both companies reported significant impacts, however: MGM and Caesars lost market value as stock prices plummeted, and MGM said that some operations were still disrupted at hotels from Las Vegas to Macau.

How was this ransomware hack so effective?

Social engineering tactics, including phishing (attacks initiated via email), vishing (attacks initiated via phone), and smishing (attacks initiated via text), all target the weakest link in cybersecurity protection: human beings.

According to the federal Cybersecurity & Infrastructure Security Agency (CISA), more than 90 percent of all cyber incidents start with some form of phishing. IBM’s 2022 X-Force Threat Intelligence report also revealed that phone-based vishing attacks were three times more effective than email-based phishing attacks.

Stephanie Carruthers, a “chief people hacker” at IBM, tests cybersecurity systems to spot vulnerabilities—and says that vishing is actually easier for bad actors to deploy.

“With phishing, I have to set up infrastructure, I have to craft an email and do all these extra technical things,” Carruthers told Vox. “But with vishing … it’s picking up the phone and calling someone and asking for a password reset. It’s pretty simple.”

Another explanation for the rise in vishing attacks is the preponderance of publicly available information on social media. LinkedIn users often post email exchanges between colleagues or discuss sales success, allowing hackers to target high-value contacts and learn how they compose a message or kick off a phone call. Including a sense of urgency or authority can easily trick junior employees into responding quickly to communications they think are from more senior leaders.

What can I do to protect my business?

• MGM customer? Check your bank account and credit report. Since card numbers and bank information were exposed in the breach, anyone who’s stayed at an MGM resort or purchased any services from the company this year should verify that there are no suspicious charges on their account statements. If you see any, contest them with your bank immediately—and ask to have a new card issued. Since hackers also stole MGM customers’ email addresses, use caution with any email that claims to be from MGM or references the breach. DO NOT click on any links or attachments in a suspicious message. Affected customers can also freeze their credit for free while breach investigations are ongoing.
• Back up your data remotely and regularly. Ransomware attacks are most devastating when a company doesn’t maintain recent and redundant data backups and has to decide whether or not to pay a ransom to cybercriminals to retrieve stolen information. The best line of defense is regular data backup executed daily and stored remotely in multiple locations. That way, even if a ransomware attack does occur, recovery can be effective: a trusted IT provider can help you remove the ransomware from infected computers, wipe affected systems clean, retrieve data from its latest backup point, and reinstall everything you thought you had lost.
• Make sure cybersecurity awareness training is updated and effective. This type of ongoing education may seem redundant—until one of your employees uses a tactic he or she learned in advance to identify a phishing email, hang up on a vishing call, or avoid clicking an infected link that installs a ransomware infection on your company’s systems. Simulation training can empower your staff with practical and pragmatic tips to stop ransomware, while step-by-step checklists outlining what to do in case of a suspected ransomware infection can isolate an issue before it spreads to connected devices.
• Beef up login security to block unauthorized account access. Complex passwords and multi-factor authentication (MFA) can make a big difference—especially if one person’s credentials are stolen and network defenses respond by blocking unauthorized account access. MFA, which requires a user to enter both their password and a unique code usually delivered via text or email, and single sign-on (SSO) apps can mitigate these issues. Meanwhile, business-grade password managers can help you move past the “password123” era, creating random passwords for different accounts but requiring users to memorize just one core master password.
• Strengthen every layer of your cybersecurity defenses. By working with a trusted IT provider like CMIT Solutions, you can make sure that reliable data backup is in place and that users are trained to spot ransomware attacks. You also get additional behind-the-scenes support—installing software updates automatically, for instance, or analyzing Internet traffic to look for any suspicious activity. At CMIT Solutions, we also help businesses with content filtering, SSL encryption, device monitoring, endpoint detection, and threat response across all devices. We aren’t surprised by the continuing increase in digital threats like ransomware—instead, we’re ready to respond to them and keep your business safe.

We’ve spent more than 25 years protecting thousands of businesses across North America from all kinds of cyberattacks and digital incidents. We prioritize ransomware prevention while acknowledging it’s just one layer of critical security. We work with companies of all sizes in all industries, shielding systems, employees, and sensitive data from ongoing threats.

Ready to step up your ransomware protection? Concerned that the MGM breach could have affected you? Contact CMIT Solutions today for responsive help that can secure your business.