Twin cyberattacks on MGM Resorts and Caesars Entertainment have given rise to a unique opportunity to examine how organizations respond to similar cyber threats. Both companies fell victim to the Scattered Spider/ALPHV cyberattack, but their incident response strategies differed greatly. Caesars swiftly negotiated with the cyber attackers and paid a $15 million ransom, allowing them to resume business operations relatively quickly. On the other hand, MGM chose not to pay the ransom and worked towards restoring their operations, which took more than 10 days and resulted in significant revenue losses.
Although it may seem tempting to compare the effectiveness of the two approaches, experts argue that it’s an oversimplification. Rob T. Lee, the Chief Curriculum Director and Faculty Lead at the SANS Institute, emphasizes that incident response is about making the “least worst decision,” a complex task with both positive and negative outcomes. He asserts that there is no clear “win” in such situations, only decisions that prevent the situation from worsening.
One of the key dilemmas faced by incident responders is whether or not to pay a ransom. Paying a ransom does not guarantee the security of data or system recovery and can potentially encourage future cyberattacks. However, business risk decisions are rarely black and white, and urgency is always a factor. Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, suggests that Caesars’ quicker recovery after paying the ransom might give the impression of a better decision from a business continuity perspective.
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, highlights that there are other factors to consider. Organizations only have a limited window of time to negotiate with ransomware threat actors before positions on both sides become hardened. Waiting too long to make a decision can result in frustration from cybercriminals and entrenched positions from enterprise security teams. Additionally, recovery costs should be taken into account. If recovery is painful but costs a few million dollars, it may be a more favorable option compared to an eight-figure extortion payment.
Analyzing the overall incident response strategies of MGM and Caesars, Guenther argues that Caesars prioritized keeping operations running, while MGM was willing to endure short-term financial losses for long-term cybersecurity gains. MGM’s decision not to pay the ransom, despite the financial losses, might stem from a broader perspective on the implications of ransom payments. The duration of their disruption likely reflects a comprehensive internal review and restoration process aimed at fully mitigating all threats. On the other hand, Caesars’ response was described as “decisive.”
Experts generally acknowledge that both companies managed their incident responses well under challenging circumstances, mitigating the extent of the damage. In terms of Caesars’ ransom payment, the $15 million is a relatively small fraction compared to the organization’s overall revenues. Andrew Barratt, Vice President at Coalfire, states that it would not significantly impact their earnings call. Barratt also notes that MGM’s ten-day recovery time is commendable compared to other incidents he has seen in the industry.
While incident recovery success depends on various factors such as cybersecurity hygiene, system architecture, tools, and talent, SANS Institute’s Lee emphasizes that it can be as unpredictable as pulling a slot machine. Therefore, attributing Caesars’ better recovery solely to the ransom payment would be misleading. Ultimately, incident response is a complex process with no guaranteed outcomes, and outcomes that might be considered success may sometimes be a matter of luck.
In conclusion, the twin cyberattacks on MGM Resorts and Caesars Entertainment have shed light on the contrasting incident response strategies employed by organizations facing similar threats. Determining whether or not to pay a ransom is a challenging decision that involves multiple considerations, and there is no definite right or wrong choice. Both MGM and Caesars managed their responses effectively, considering the circumstances, and mitigated further damage. The focus should be on the complex nature of incident response, rather than attempting to compare the outcomes of two distinct approaches.