A ransomware cyberattack is wreaking havoc on MGM Resorts International this week, shutting down many of the casino giant’s electronic systems. Russian group ALPHV has supposedly taken responsibility for the attack, a group that also took $30m from Caesars Entertainment recently.
Unlike Caesars, MGM is standing its ground and denying the large ransom, but insider company sources have claimed the attack could last for multiple weeks. To learn a bit more about the ongoing situation, VegasSlotsOnline News spoke with Jonathan Care, Cybersecurity Expert for Lionfish Tech Advisors.
According to insider sources, the attack on MGM is a social engineering ransomware attack. Can you explain how these work?
Social engineering is the cybersecurity equivalent of the good old-fashioned con trick. It’s basically convincing someone that you are a friendly, knowledgeable helper and then getting them to do something for you – this can be as simple as emailing a list of credit card numbers or just clicking on a link that downloads malware.
Do you think MGM will have to pay out eventually?
It’s difficult to speculate in these cases. Every organization and every casino has its individual attitude to risk.
the problem is the same as any other blackmailer – will they stay paid off?
MGM will be asking themselves if a payout is less expensive than hiring expert consultants to try and fix the problem. Of course, they will also be well aware that criminal gangs are untrustworthy and so the problem is the same as any other blackmailer – will they stay paid off?
What options does MGM have at this point?
MGM’s options are:
1 – Pay the ransom and hope that the criminal gang are honest criminals and remove the ransomware.
2 – Attempt to restore their computer systems with their own teams.
3 – Bring in external experts to restore their computer systems.
4 – Call in Law Enforcement such as the FBI. The FBI’s prime focus of course will be investigation of the crime and gathering of evidence, not necessarily the speedy restoration of MGM services.
Do you know much about the ALPHV group supposedly responsible for the attack?
ALPHV run BlackCat as a “Ransomware-as-a-service” offering for other criminal gangs. They appear to have publicly claimed responsibility for this attack. The motivation is not clear, but it is an effective demonstration of their capability.
Reports suggest Russia and North Korea both sponsor some of these hacker groups to raise state funds. Is that likely to be the case here?
There’s considerable evidence to suggest that Russia provides safe harbor to criminal organizations and North Korea has state-organized cyber espionage resources.
the “smash’n’grab” nature of this attack lends itself to a criminal gang
I speculate that the “smash’n’grab” nature of this attack lends itself to a criminal gang rather than state espionage, which tends to have a stealthier long-term approach – for example, infiltrating banks (and gaming organizations) in developing countries in order to undermine trust in the international financial system.
Cyber-attacks on US gaming companies are increasing in frequency. Can you tell us why?
To quote Wille Sutton: “Because that’s where the money is.” US gaming companies are highly liquid and are seen as targets by criminal gangs. That’s not new and has been the case since gaming companies and criminals existed. What is new is that criminal gangs are moving to the cyber domain – again, because that’s where the money (or the route to it) is.
Is there anything these firms can do to better protect themselves?
Absolutely! And I am sure that the security engineers and leaders in MGM and the other gaming companies are looking very carefully at their defenses. One of the most important facts to realize is that this is not a scenario where the cyber-defenders are expected to repel all attacks. Experience shows that the role of the cybersecurity team is to ensure business survivability – which means an approach such as the following:
PROTECT – Build the best defenses that one possibly can. Anticipate attacks, build a threat model, and implement the appropriate defensive controls.
DETECT – With the expectation that there will be an attacker who is skilled, resourced, and has both time and luck to evade all the protective controls, ensure that the cybersecurity team can detect unusual activity and investigate rapidly.
RESPOND – When an event is detected, carry out a planned, rehearsed incident response process to isolate the attack, eradicate the impact, and restore normal business operations.
LEARN – Carry out post-mortem investigations. Apply these learnings to the implementation of new protective and detection controls.
It’s in our nature as humans to think we have put in the best walls around our castle
While this sounds simple in theory, many organizations fail to follow through after implementing protective controls. It’s in our nature as humans to think we have put in the best walls around our castle, and that is enough. It’s important also to note that we are not asking for heroic measures from the cyberteams – in fact, heroic measures are self-defeating because they exhaust our scarce resources.