MGM Resorts International was allegedly victimized by a ransomware-as-a-service (RaaS) group on September 11, 2023, leading to the temporary shutdown of operations at numerous hotels and resorts.
— MGM Resorts (@MGMResortsIntl) September 11, 2023
“MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems,” the company wrote on Twitter. “Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.”
“Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
Social Engineering Techniques Allegedly Led to MGM Ransomware Attack
According to vx-underground, a ransomware research group, operatives simply located an MGM employee, then contacted them by calling the business’s help desk. Following a 10-minute conversation, the attackers had the necessary credentials to execute the ransomware — a brazen example of targeted phishing.
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.
A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
— vx-underground (@vxunderground) September 13, 2023
The method of attack is alleged, and the identity of the attackers is currently unclear. vx-underground attributes the attack to ALPHV, a ransomware-as-a-service group also known as BlackCat (discussed below).
Another source attributes the incident to Scattered Spider, which specializes in social engineering tactics. Scattered Spider uses similar methods as ALPHV/BlackCat, and the groups may have worked together to compromise MGM.
How BlackCat/ALPHV Executes Ransomware Attacks
The Cybersecurity & Infrastructure Security Agency (CISA) has issued warnings about BlackCat/ALPHV, noting that the actors “leverage Windows scripting to deploy ransomware and to compromise additional hosts.”
CISA reports that BlackCat/ALPHV utilizes the following batch and PowerShell scripts in typical attacks:
- start.bat – launches the ransomware executable with required arguments.
- est.bat – copies the ransomware to other locations.
- drag-and-drop-target.bat – launches the ransomware executable for the MySQL Server.
- run.bat – executes a callout command to an external server using SSH; file names may change depending on the company and systems affected.
- Runs1.ps1 – PowerShell script to disable McAfee antivirus software.
For a successful attack, the group often relies on accurate user credentials; these may be purchased from other bad actors or obtained through other methods (in this case, the credentials were allegedly obtained via a 10-minute phone call).
Ransomware Continues to Threaten Businesses of Every Size
The MGM attack is notable because of its high visibility. The actors immediately disrupted a major hotel chain’s operations — and MGM quickly issued an apology on their website, which brought quite a bit of attention on social media.
But most ransomware attacks are under-the-radar, and the vast majority of targets are much smaller than MGM. Appropriate password security practices could have prevented this particular instance, but the simple fact is that many large enterprises (and small businesses) are vulnerable to targeted ransomware attacks.
Datarecovery.com provides an array of ransomware services to help businesses fight back against malicious software. From ransomware recovery to penetration (PEN) testing, disaster recovery deployment, and ransomware investigation, we’re dedicated to providing solutions supported by decades of experience.
To learn more, submit a case online or call 1-800-237-4200 to speak with an expert.