Within weeks, two of the world’s largest casino-hotel companies—MGM Resorts and Caesars—were hit with ransomware attacks. One met the hackers’ demands, while the other is resisting.
On Thursday, Caesars Entertainment revealed in an SEC filing what had been reported Wednesday by Bloomberg and the Wall Street Journal: that the company had been the victim of “a social engineering attack on an outsourced IT support vendor used by the company.”
Notably, the attack on Caesars happened weeks prior to the attack on MGM Resorts that has, since Sunday evening, wreaked havoc on MGM’s operations, forcing guests to wait hours to check in and crippling electronic payments, digital key cards, slot machines, ATMs and paid parking systems. The company’s website and mobile app have been offline for nearly four days.
Both companies are now statistics in a worldwide trend. Cyberattacks were up globally 156% in the second quarter of 2023 compared to the first three months of the year, according to a report from the World Economic Forum.
Huge corporations make extremely lucrative targets. Last year, MGM Resorts and Caesars Entertainment generated revenues of $13 billion and $11 billion, respectively.
Both companies appear to have been targeted by known ransomware-as-a-service groups. ALPHV, also known as Black Cat, claimed responsibility for attacking MGM while an affiliated group that calls itself Scattered Spider hit Caesars. Neither MGM nor Caesars responded to Forbes’ requests for comment.
The preferred tactic for both ransom gangs is to use social engineering to gain access into the companies’ IT systems — and they are extremely good at it, say cybersecurity experts. ALPHV reportedly bragged that it took 10 minutes to infiltrate MGM’s system after identifying an MGM tech employee on LinkedIn and then calling the company’s support desk. Scattered Spider gained entry to Caesars’ system by deceiving an employee at a third-party vendor.
“It’s bonkers, says Alex Waintraub, a cyber crisis management expert at CYGNVS who has worked on hundreds of ransom cases. “Companies are spending sometimes hundreds of millions of dollars on preventative care, detection care, protection care, endpoint detection response, and so on. And guess what? The simplest, unsophisticated ways are how the threat actors are getting in: Click on this link and type in your credentials.”
The continued success of social engineering as a tactic demonstrates that humans are often the weakest link in the chain, says Alex Hamerstone, advisory solutions director at TrustedSec, an Ohio-based cybersecurity firm. “If you’re designing a resilient IT infrastructure, calling one person and getting one password or link or whatever should not take down your whole company.”
In stark contrast to MGM, Caesars reported that its customer-facing operations, “including our physical properties and our online and mobile gaming applications,” were not disrupted. But according to the filing, Caesars determined a week ago that the hacker acquired a copy of the Caesars Rewards loyalty program database, “which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.” Caesars says there is no evidence to date that any member passwords, bank account information, or payment card information were stolen.
The Wall Street Journal reported that Caesars paid a $30 million ransom. While the company’s SEC filing does not reveal the precise amount, it acknowledges that Caesars incurred “certain expenses related to this attack, including expenses to respond to, remediate and investigate this matter.”
Threat actors often determine a ransom sum after researching a company’s financial documents and even determining its insurance coverage limit. Waintraub has even seen blackhat actors steal delete a company’s insurance policy from its IT system in the hope of keeping the victim blind to the terms of its own policy. “They know the insurance company is going to have a ransom negotiator,” he explains. “And they don’t want to deal with the ransom negotiator. They want to negotiate with the CEO.”
In the end, Caesars decided it was better to pay up. “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company’s SEC report continues.
Waintraub speculates that it’s highly unlikely Scattered Spider will break its word. “In general, the most important thing to these groups is their reputation,” he says. Typically, a ransom is paid in exchange for a promise that a decrypter will be provided along with proof that stolen exfiltrated data has been deleted. He says it’s very rare that the ransom gang reneges.
“I’ve personally worked on incidents where threat actors just stopped talking mid-negotiations,” Waintraub says. “When that happens, people talk on Twitter and on other social media, and then companies stop paying them. And when they lose that ability to financially make money, the group sort of falls apart.”
In contrast, MGM has apparently decided not to capitulate, which is what the FBI advises. “Paying a ransom doesn’t guarantee you or your organization will get any data back,” says the agency’s website. “It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
“The belief is that if you continue giving them money, then they will continue doing this,” Waintraub says. Sometimes a company will determine that the stolen data wasn’t as sensitive as a threat actor thought. “Ideally, you’re able to restore the company without having to actually facilitate a payment, but sometimes there’s no other way to get your company back up online.”
As of Thursday afternoon, the MGM Resorts website had been down for more than 84 hours.