What Happens in Vegas: MGM Resorts ‘Ransomware’ Attack – Source: securityboulevard.com

“Nevada’s largest employer”

Brian Ahern, MGM’s executive director of communications, issued a statement … that the casino company has been hit with an unknown attack: “[We] took prompt action to protect our systems and data, including shutting down certain systems.” … (Ahern issued the company statement through a Gmail address, as employees do not currently have access to their company email because of the cyber incident.)

…

MGM Resorts’ last major cybersecurity event came in 2019 when personal information on 30 million guests was shared publicly on … Telegram. MGM confirmed in early 2020 that it was the victim of a data attack from a Russia-based hacking group.

…

MGM is Nevada’s largest employer and operates the most casinos on the Las Vegas Strip. … The outage, however, is apparently affecting MGM’s regional casinos, too [including] MGM National Harbor, … Borgata in Atlantic City, MGM Grand Detroit, MGM Springfield in Massachusetts, Beau Rivage in Mississippi, Empire City Casino in NYC, and MGM Northfield Park in Ohio.

“Ransomware attacks”

MGM isn’t just any old casino vendor; it’s a huge corporate empire, encompassing a multitude of interlocking businesses. … The impact of a ransomware attack on its business operations could be immense. … We’ll have to wait to see just how screwed MGM really is.

…

Local news outlets in Las Vegas caught wind of various complaints from patrons of MGM businesses: Some said ATMs at associated hotels and casinos didn’t appear to be working; others said their hotel room keys had stopped functioning; still others noted that bars and restaurants located within MGM complexes had suddenly been shuttered. [And] MGM’s website [is] definitely not working the way that it’s supposed to.

…

While it’s still not totally clear what kind of attack we’re talking about here, the most likely culprit in a case like this would be ransomware. Ransomware attacks on casinos aren’t quite as common as, say, attacks on schools or small businesses—but they have been known to happen.

“Wouldn’t be the first time”

The fact that MGM Resorts shut down certain systems points to one thing: A ransomware attack. A typical ransomware attack involves the code spreading across a network before encrypting data and demanding a ransom payment. The way to prevent ransomware from spreading across a network is to disable exposed parts of the network as soon as the ransomware is detected on internal systems, which is what MGM Resorts has done.

…

It wouldn’t be the first time ransomware operators have targeted hotel and resort owners. InterContinental Hotels Group PLC, the owner of hotel brands such as Holiday Inn, Crowne Plaza and Regent, was struck … in September 2022. … Hyatt Hotels Corp. suffered a similar attack in 2015.

Looooool ****ing morons. Worked in end user support for them. When MGM2020 plan was announced they told us it was to reinvest money into IT infrastructure including, most primarily, Cybersecurity. Clearly they didn’t.

…

[They] almost got ground to a total halt of business by WannaCry. It got into one of the main surveillance systems, and the only reason it didn’t blue screen that server was a glitch when it attempted to launch its payload. … Literally a stroke of luck kept them from having to shut down almost every casino.

…

****ing idiots. Hope they get roasted for this.

1) They have large, very detailed databases with extensive customer records: Photos of drivers licenses, for example.

…

2) Easy attack vector: Heavily dependent on a variety of vendor software and systems that are way out of date, run by weak, underpaid and often uninformed IT staff.

…

3) Casino companies are typically heavily incented to simply pay the ransom, rather than face regulatory scrutiny and consumer distrust.

Hmm. Having worked with teams at MGM, I can tell you that the networks are air-gapped. I would guess either a vendor was compromised, or someone made a huge mistake (read: $$$$).

This is just in my department (room service). I can’t imagine how it is in the others:

…

A lot of people thought room service was closed because they couldn’t access [it]. And we couldn’t access the multiple programs that lets us see the comp orders hosts have for guests—and the hosts couldn’t access their notes to call and tell us what the orders where and to whom they were going. … We had to hand write everything for the kitchen and the servers. It’s a good thing we had the right kind of carbon copy paper.

…

Management couldn’t order specific things from the warehouse, workforce couldn’t email them to tell them who called out or to call employees in. Management couldn’t access employee phone records to call them in themselves. Employees had to write down the coworker’s phone numbers that they had and give them to the managers so they could call staff in because our schedules are stupid. … The warehouse will only be sending supplies that were sent the day of week before. So we’ll have extra of certain things and nothing of other things.

Maybe most of the LED displays are run by the same IT department. So if I were an evil genius, this latest attack would be only the first salvo of bewildering hijinks perpetrated in the service of a multistep heist. The ultimate goal: Rickroll the entire city after hijacking The Sphere.

Oh my God I hope this doesn’t eat away at their near $13B in revenue fleeced mostly off of people with poor habit control.

Recent Articles By Author