A tale of 2 casino ransomware attacks: One paid out, one did not
What can be learned from MGM's and Caesars' infosec moves
Feature The same cybercrime crew broke into two high-profile Las Vegas casino networks over the summer, infected both with ransomware, and stole data belonging to tens of thousands of customers from the mega-resort chains.
But despite the similar characters and plots, these two stories have disparate endings — and seem to suggest two very different takeaways to corporations confronted with extortionists' demands and the question of paying or not paying a ransom.
The first, Caesars Entertainment, owns more than 50 resorts and casinos in Las Vegas and 18 other US states, disclosed the intrusion in an 8-K form submitted to the SEC on September 7.
In its report to the financial watchdog, Caesars cited a "social engineering attack on an outsourced IT support vendor," which we now know was Okta, and said the crooks stole its customer loyalty program database, which contained a ton of personal information.
The casino owner also noted, in the filing, that it had "taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result."
These steps are widely assumed to include paying a ransom — which was reportedly negotiated down to $15 million after an initial demand for $30 million.
Caesars did not respond to The Register's inquiries for this or previous stories about the ransomware infection.
What happens in Vegas…
From the outside, at least, it appears that Caesars suffered minimal pain and business disruption primarily because it decided to pay the ransom. Meanwhile, as Caesars' breach became public, its neighboring resort and casino on the Vegas Strip entered its fourth day of inoperable IT systems and casinos following a "cybersecurity issue."
That other company, of course, is MGM Resorts, which owns 31 hotel and casino locations globally. Like Caesars, MGM was also an Okta customer that fell victim to phishing attempts targeting its IT service teams.
Scattered Spider, the crime gang believed to be responsible for both intrusions, reportedly bragged that all it took to break into MGM's networks was a 10-minute call with the help desk.
But unlike Caesars, MGM did not pay the ransom. MGM Resorts CEO Bill Hornbuckle has since said that's because his company had already started rebuilding its IT systems. MGM also did not respond to The Register's requests for comment.
Ultimately, MGM suffered nearly a week of outages, operational disruptions, and angry customers, costing the corporation about $100 million in losses — and now its stolen data has reportedly been leaked.
'Like cutting the cheese in a packed elevator'
When looking at what ransomware payment end up funding (weapons development, oppressive regimes, more cybercrime and network intrusions), with all other things being equal, we'd assume most organizations would choose to not give in to extortion demands.
"Paying a ransom is like cutting the cheese in a packed elevator: it makes other people suffer," Emsisoft threat analyst Brett Callow told The Register. "Put simply, companies that pay keep ransomware alive and ensure other companies will be attacked. If nobody paid, there'd be no more ransomware."
But when looking at both casinos' outcomes, it appears as if the clear, less painful choice is to pay the ransom.
Still, even if you're willing to ignore the murky ethical issues around funding criminal organizations, it's not that cut and dried.
"The MGM and Caesars incidents aren't necessarily comparable," Callow said. "We don't know the scope of each, which systems were impacted, whether backup systems were impacted, etc., etc., etc. And it would be a mistake to assume that Caesars seemingly easier recovery was due to it having paid."
Plus, infosec armchair quarterbacks have limited visibility into each companies' security hygiene and strategy, their network architecture, even the relationship with and oversight from the board of directors. All of these also likely went into the casino exec's decision, said Megan Stifel, chief strategy officer for the Institute for Security and Technology and the executive director of the IST's Ransomware Task Force.
"The other thing I think is: who was involved with the negotiating process? Did they involve a negotiator," Stifel told The Register. "While there's this perception out there that these negotiators are part of the problem, I think that's a very misplaced attention."
This is because it draws attention away from the two big issues that facilitate ransomware — and cybercrime in general, Stifel added. Namely: insecure hardware and software, and the criminals organizations themselves. "So why is it that networks are so Swiss cheese that these guys can actually take advantage of this swiss cheese?"
To pay or not to pay?
There are a number of factors that play into a company's decision to pay or not pay a ransom, according to incident responders.
"These include: the type of data compromised, the availability of backups, the relative time and effort to restore from backup versus to decrypt with the ransomware key, the financial impact on the organization associated with the downtime, and the group conducting the extortion," Sam Rubin, VP of Unit 42 Consulting at Palo Alto Networks, told The Register.
"It's often a very difficult decision to make, and unfortunately, there's no one size fits all way to look at these scenarios," Rubin added. "What works for one organization may not work for the next one."
Plus, digital intrusions and clean-up efforts don't always go according to plan.
"In some cases we have worked, the organization refused to pay the ransom, and then the level of extortion that played out afterwards was so intense, the organization told us they regretted not just paying them in the first place," Rubin said.
- MGM Resorts attackers hit personal data jackpot, but house lost $100M
- Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data
- Look out, Scattered Spider. FBI pumps 'significant' resources into snaring data-theft crew
- US officials close to persuading allies to not pay off ransomware crooks
Organizations also need to consider the type of information stolen in the attack. If this includes health-care records, or data belonging to or about minors, they may be more inclined to pay the demand rather than have this information leaked, Kimberly Goody, head of cyber crime analysis at Mandiant, told The Register.
It also depends on the sector, because sometimes a ransomware infection can become a life-or-death situation.
"Look at the hospitals that have been impacted and they weren't able to monitor patients rooms remotely, so they had to staff nurses in each of these rooms to make sure that something terrible didn't happened," Goody said.
Goody also noted the 2021 Colonial Pipeline attack and fuel shortage that ensued, as well as the oil company CEO's very public decision to pay the crooks.
"You can see in that particular incident how it had ripple effects that were really impactful to US citizens at the time," she said. "Sometimes when you are providing really critical services, to get back up on line quickly, unfortunately [you] do have to make that decision to pay even though that's not something you really want to do."
Sanctions matter
Government sanctions are another outside factor likely to influence an organization's decision. In addition to the ethical problems of paying criminals, and thus funding future cyberattacks on more victims, paying the extortionists may, in fact, be illegal.
One cyber-crime crew that Mandiant tracks as UNC2165, which has ties to Evil Corp, began switching up the ransomware it deployed after the US sanctioned Evil Corp in 2019 over its development and use of Dridex malware.
This banned Americans "from engaging in transactions" with Evil Corp, and "foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions" with the gang.
UNC2165 "continuously was changing the ransomware brand that they were deploying, and we believe that they did that because they were having trouble receiving payments from victim organizations," Goody said.
These types of sanctions, and other coordinated efforts between governments that increase the cost of criminals doing business are what's needed to disrupt the ransomware ecosystem, according to IST's Stifel.
She counts the RagnarLocker, Hive and Qakbot takedowns among the "operational successes this year on the international-coalition front," but adds that there's much more to be done.
"We also need to be putting pressure on the elements of the Internet ecosystem that enabled them to continue to operate with impunity," Stifel said. "So things like bulletproof hosters, some of the exchanges and the mixers, and companies hosting wallets that are not following the law to the fullest extent."
"We're headed in the right direction," she said. "And we need to keep our foot on the accelerator." ®