MGM Resorts suffers ransomware infection following social engineering attack

The gaming giant MGM Resorts has shut down large parts of its systems following a ransomware attack, causing widespread disruption across its hotels and casinos. TechCrunch reports that many of MGM’s casinos are “out of action” and staff have had to resort to using pen and paper.

The story was first reported by the malware repository vx-underground on 13 September. It claimed that the perpetrators were an associate of the ALPHV/BlackCat ransomware-as-a-service group identified as Scattered Spider. An admin for ALPHV/BlackCat later confirmed this to BleepingComputer.

Scattered Spider is known for its social engineering attacks, such as impersonating help desk staff to trick users into supplying their credentials. In this case, all Scattered Spider had to do, said vx-underground, “was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation”.

According to BleepingComputer, “the hackers say that they do not know what type of data they stole from MGM but promise to extract relevant information and share it online unless they reach an agreement with MGM”.

Details remain unclear, but any ransom demand is likely to be high: the attack occurred only weeks after another hotel and casino company, Caesars Entertainment, paid a ransom of several million dollars to Scattered Spider to resolve a similar attack.

MGM Resorts, which operates 30 hotel and gaming venues around the world, including in Las Vegas, is still responding to the incident. In an update posted on X (formerly Twitter) on 14 September, the company said:

“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly. We couldn’t do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers. Thank you for your continued patience.”

GRCI Law’s head of cyber incident response, Cliff Martin, commented that the incident “serves as a stark reminder that no matter how much an organisation invests in technology, a single lapse in human judgment can open the door to threat actors. This incident underscores the critical importance of human training in cybersecurity.”

He continued: “Employees, already burdened and fatigued by their workloads, often become susceptible to such tactics, making it alarmingly easy for threat actors to exploit these vulnerabilities. It is imperative for organisations to establish a robust incident response plan to effectively address cybersecurity incidents as they inevitably occur. Regardless of an organisation’s size, it is not a question of ‘if’ but ‘when’ a cyber security incident will happen. Being well prepared is key to minimising its impact and protecting what is important. The earlier an incident can be detected, the better.”

How to mitigate phishing and other social engineering attacks

All organisations are vulnerable to phishing and other social engineering attacks, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.