Security as a Service For All Businesses

ALPHV/Blackcat Ransomware Group: Unraveling the MGM Cyberattack Saga

Considering recent articles uncovering the cyberattack on MGM Resorts and Casinos, attributed to the ALPHV/BlackCat ransomware group, this attack has sent shockwaves throughout the cybersecurity world. In this article, we delve into the details surrounding this high-profile breach, uncovering the group’s motivations, tactics, and the repercussions this has had on one of the world’s leading hospitality conglomerates. 


The ALPHV/BlackCat’s Bold Claim

The ALPHV/BlackCat ransomware group made a resounding entry onto the global stage when it publicly claimed responsibility for the crippling cyberattack on MGM Resorts and Casinos. Their statement shed light on their meticulous planning leading up to the cyberattack.

The group asserted that it had infiltrated MGM’s infrastructure the preceding Friday but had restrained from launching the ransomware attacks until Sunday, seizing over 100 ESXI hypervisors. The reason? A lack of response from MGM engineers whom ALPHV has claimed they have repeatedly attempted to contact: “Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday.” 


ALPHV/BlackCat’s Continued Threat

Amid the mounting speculation on social media, ALPHV decided to address the situation directly. In a lengthy manifesto posted on its dark leak site, the group set the record straight. They also ominously declared that they still had access to MGM systems and threatened further attacks if an agreement was not reached. 

Furthermore, the group took issue with media reports describing them as perpetrators of fanciful tales, such as “tampering with MGM slot machines to dispense cash.” ALPHV rebuked the media for underestimating their capabilities. The group stated, “At this point, we have no choice but to criticize VX Underground (a malware research group) for falsely reporting events that never happened,” followed by, “They chose to make false attribution claims then leak them to the press when they are still unable to confirm attribution with high degrees of certainty after doing this. The tactics, techniques, and procedures (TTPs) used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.”  


Collaboration Rumors with Scattered Spider

As the news of the MGM cyberattack spread, rumors emerged of a potential collaboration between ALPHV and another lesser-known threat actor, “Scattered Spider, also known as Scatter Swine or UNC3944. These speculations hinted at joint responsibility for the MGM breach. However, it was later revealed that Scattered Spider had conducted a separate attack on Caesars Entertainment, paying a $15 million ransom to the hackers. 


MGM’s Struggles in the Aftermath  

The cyberattack had severe repercussions for MGM Resorts and Casinos. All twelve of its brand resorts on the Las Vegas Strip were severely impacted, with systems shutting down and operations transitioning to analog and cash-only modes for over 24 hours. Guest rooms were inaccessible, slot machines were offline, and the hotel faced numerous operational challenges. 

Expert Bobby Cornwall, VP of strategic partner enablement and integration at Sonicwall, believed the move to shut down systems was justified. “Out of an abundance of caution, MGM made the right call to lock down all the systems it did, even if it meant inconveniencing its guests as a result of their actions.”

Caesars Pays the Ransom

While MGM grappled with the attack, Caesars Entertainment quietly paid a $15 million ransom to Scattered Spider for their breach. Reports suggested that Scattered Spider had obtained substantial amounts of data from both resorts, including six terabytes (6TB). 


ALPHV’s LinkedIn-Based Approach  

ALPHV’s approach to compromising MGM Resorts was surprisingly simple. The group disclosed that they found an MGM employee on LinkedIn, made contact, and then called the help desk to gain access. This method underscores the vulnerability of even the largest corporations to social engineering attacks. 

Differing Outcomes for MGM and Caesars: Insider Trading Allegations 

Notably, while MGM’s front-end systems unraveled quickly after the attack, Caesars Entertainment maintained that its customer-facing operations remained unaffected. This divergence in outcomes highlights the varying responses and preparedness levels of different organizations to cyber threats. Amidst this outcome, ALPHV also surfaced information saying an unknown user surfaced in the MGM victim chat a few hours after the ransomware was deployed and that they could not link him to MGM as email inquiries were unanswered.

Reporting that before the cyberattack hitting news cycles, seven MGM executives were involved in many dubious activities, leaking that their members had sold $33 million in MGM stock, stating, “We are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past 12 months, while seven insiders have sold shares for a combined 33 MILLION dollars. ( This corporation is riddled with greed, incompetence, and corruption.”  



The ALPHV/BlackCat ransomware group’s attack on MGM Resorts and Casinos serves as a stark reminder of the ever-present cyber threats facing businesses today. As the cybersecurity landscape continues to evolve, organizations must remain vigilant, invest in robust defense mechanisms, and prepare for the possibility of cyberattacks from sophisticated threat actors like ALPHV. The fallout from such incidents underscores the importance of comprehensive cybersecurity strategies and effective incident response plans for safeguarding sensitive data and business continuity.