MGM, the hospitality giant, is under scrutiny for its cybersecurity practices following a suspected cyber attack that disrupted its operations. The BlackCat Ransomware gang is suspected to be behind the attack. The incident affected several crucial aspects of MGM's business, including its main website, the websites of its 31 resorts, its mobile rewards app, online bookings, and in-casino services like ATMs, slot machines, and card payment machines.
On September 12, MGM confirmed that its IT systems were back online. However, at the time of reporting, the main MGM website was still down. There were also concerns raised on a Las Vegas social media account, @LasVegasLocally, about whether the company would be able to pay its employees on Friday.
This incident has raised concerns about the vulnerability of the casino industry to cyber attacks. Zane Bond, head of product at Keeper Security, highlighted the vast amounts of sensitive customer data, including credit card information and personally identifiable information (PII), that casinos and hotels handle. Bond also pointed out the valuable intellectual property that underpins casino operations as an attractive target for cyber criminals.
Brad Freeman, director of technology at SenseOn, criticized MGM's security practices. He noted MGM's history of data breaches, including a 2019 incident where the details of 142 million users were taken, a figure much higher than initially reported by the company.
While MGM has not disclosed the origins of the incident, many security researchers suspect a ransomware attack. Fergal Lyons, a cybersecurity evangelist at Centripetal, suggested that MGM might end up paying the ransom if they see no other option.
On September 13, the Vx-underground collective of malware researchers claimed that the ALPHV/BlackCat group had reached out to them and confirmed responsibility for the attack. They suggested that the ransomware gang demanded a ransom from MGM Resorts International, but the company didn’t pay. The ALPHV/BlackCat leak site does not mention the attack at the time of reporting.
ALPHV/BlackCat is a ransomware gang that has operated a ransomware-as-a-service (RaaS) model since 2021. It has compromised over 100 organizations and is known for using a sophisticated ransomware variant known as Sphinx. The group has also been observed exploiting a known vulnerability in Fortra’s file transfer solution GoAnywhere MFT (CVE-2023-0669) in April 2023. According to a Microsoft research profile, ALPHV/BlackCat has links to other ransomware groups such as Conti, LockBit, and REvil, as well as the Darkside and Blackmatter cyber-criminal cartels.