Lessons from MGM and Caesar Casino Ransomware Attacks

In recent weeks, the cybersecurity world was rocked by two high-profile ransomware attacks targeting industry giants MGM Resorts and Caesars Entertainment, both prominent players in the casino and hotel sector. These incidents not only caused operational disruptions but also exposed sensitive customer data. As organizations increasingly invest in top-tier security solutions to protect against such threats, this recent attack is a stark reminder that relying solely on prevention-based strategies can not provide an absolute defense. This blog will summarize these attacks’ key details and emphasize the urgent need for robust ransomware containment measures.

The MGM Resorts Ransomware Attack

On September 11th, MGM Resorts became the epicenter of a cyber crisis. The company experienced widespread system outages and service disruptions across its Las Vegas and Atlantic City properties. Both customers and MGM employees faced numerous issues as a result. Reservations were erased, and existing keycards malfunctioned, forcing hotel staff to spend hours resolving room access issues for customers and costing MGM thousands in cancellation and change fees—which were waived as guests whose reservations weren’t erased canceled their upcoming trips. All gambling and betting had to be manually tracked, with only cash available for exchange, causing further security issues throughout casino floors.

MGM’s systems were down for 10 days, costing the company an estimated $8.4 million per day and roughly $850 million in market value as their stock dipped 12.5%. Unlike Caesars, MGM declined to pay the ransom demanded. As a result, personal information, including social security numbers and bank account info for more than 10.6 million customers, was leaked. However, the servers and data held by the hackers were held hostage, forcing MGM to use the backup servers to restore operations.

This attack, attributed to an affiliate of the notorious ransomware group Alphv (also known as BlackCat), is a stark example of the crippling impact ransomware can have on even the most robust organizations.

The Caesar Casino Data Breach

Caesars Entertainment disclosed a data breach in a separate alarming incident through a regulatory filing. The attack exposed sensitive customer information from their Caesars Loyalty Rewards database, including Social Security numbers and driver’s license details. Even more shocking is that Caesars reportedly paid a $15 million ransom to prevent the release of stolen customer data and restore their systems. This incident vividly underscores the financial and reputational risks associated with ransomware attacks. So far, according to Caesars, this customer info has not been released.

Attack Methods

Unlike many recent cyberattacks where hackers have breached systems via email phishing, USB ports, or IoT, the attacks on MGM and Caesars were done via social engineering tactics. Scattered Spider is unique because its members are primarily younger and based in the U.S. and U.K. In MGM’s case, a group member found an MGM employee on LinkedIn and then called the company’s help desk, impersonating said employee. Within a 10-minute phone call, they could hack MGM’s system using that employee’s admin credentials. Caesars was infiltrated through a third-party outsourced IT services contractor using similar tactics.

It is worth noting that given their cash flow and treasure troves of sensitive customer data, casinos such as MGM and Caesars have best-of-breed solutions in place to help mitigate potential threats. This includes EDRs, malware detection, email scanners, and even red teams whose sole purpose is identifying vulnerabilities before hackers can exploit them. Yet, these sophisticated security measures were all thwarted by a fraudulent phone call to the IT departments that help administer them.

These attacks highlight a very important fact of cybersecurity that, until now, has been overlooked: sometimes, all the prevention in the world is still not enough. Not even well-funded, heavily secured, and monitored casinos are immune.

As Emily Phelps, Director of Cyware, was quoted in CPO Magazine: “If organizations take away anything from the Caesars ransomware attack, let it be a reminder that human behavior is one of the most common vulnerabilities threat actors exploit. Technologies change rapidly. Human behavior doesn’t. Improving security awareness must be an ongoing effort, and it is only the beginning. To minimize social engineering risks, it’s important to ensure you require multifactor authentication, ideally using different types of authentication, such as a passphrase and an authenticator app..”

As Phelps notes, organizations need to do more. With increasingly sophisticated attack methods, preventative measures will never be enough. Whether the attack comes from an endpoint or a fraudulent phone call, containment protects against even human error.

The Crucial Role of Ransomware Containment

The MGM Resorts and Caesar Casino incidents serve as a wake-up call for organizations of all sizes. Although they invested in the best-in-breed prevention-based security tools such as EDRs, email gateways, firewalls, MFA, etc., neither casino could detect and prevent the attack. The cybercriminals were still successful at getting through and caused significant damage to their IT infrastructure.

To protect against the rising tide of ransomware attacks, organizations must augment their preventative measures with automated ransomware containment solutions to address the attacks that eventually get through. These solutions extend beyond traditional cybersecurity measures, focusing on rapid detection of an active attack, isolation of the compromised user and device, and containment of the data encryption and exfiltration that takes place.

As technology advances, attack vectors increase. Even the most sophisticated prevention measures cannot cover every single ingress, as new methods consistently pop up and groups such as Scattered Spider take advantage of social engineering. Containment, however, is ingress agnostic. With containment solutions, attacks can be halted as soon as they are initiated, preventing data encryption, isolating the affected endpoint(s), and preventing operation downtime.

Learn More

BullWall offers a ransomware penetration test to help you assess how your current tools respond to various ransomware variants. You can request one here or schedule a demo of our containment solution.