The number of reported ransomware attacks in September may have decreased, but the consequences were far-reaching for two prominent Las Vegas establishments. Both MGM Resorts and Caesars Entertainment fell victim to ransomware attacks last month, causing significant disruptions and resulting in hefty ransom demands. The decrease in reported attacks aligns with findings from NCC Group’s August “Cyber Threat Intelligence Report,” which also noted a decline in the number of ransomware attacks in recent months.
While the overall number of attacks may have decreased, the September victims still suffered from extended periods of downtime and faced substantial ransom demands. Among the most notable cases were MGM and Caesars, both of which were initially breached through social engineering campaigns utilizing vishing attacks. Notably, both casinos were also customers of Okta, an identity and access management vendor.
In August, Okta confirmed that four of its customers had been compromised in a social engineering campaign, during which the attackers gained highly privileged roles in the customers’ Okta tenants. Security vendors Trellix and Mandiant attributed the campaign to Scattered Spider, a threat group well-known for its effective phishing techniques. Okta observed the wave of attacks from July 29 through August 19 and confirmed that Caesars was among the four victims. MGM, on the other hand, became the fifth victim of the social engineering campaign against Okta customers, but its compromise occurred after August 19. Subsequently, the attackers exploited the privileged access obtained through compromised Okta super administrator accounts.
Caesars publicly disclosed the attack it experienced on September 14 through an 8-K filing. The attack, which began around September 7, resulted in a data breach. While the disclosure did not explicitly mention ransomware, Caesars stated that it took steps to ensure the unauthorized actor deleted the stolen data, although it couldn’t guarantee this outcome. On the same day, The Wall Street Journal reported that Caesars had paid a $15 million ransom demand to the attackers. The filing also confirmed that the attack did not disrupt Caesars’ physical properties or its online and mobile gaming applications.
MGM, on September 12, disclosed a cybersecurity issue that compelled it to shut down specific systems and notify law enforcement. The incident led to disruptions for guests, causing problems with room key access, delayed check-ins, shutdowns of slot machines and ATMs, and more. Unlike the attack on Caesars, the incident at MGM had a more tangible impact on the physical amenities of the resort and casino.
The fallout from ransomware attacks extended beyond the entertainment industry. In Mississippi’s Hinds County, a ransomware attack that began overnight on September 6 had catastrophic consequences. Kenny Wayne Jones, the county administrator, described the attack as “catastrophic” in a report by ABC affiliate 16 WAPT on September 11. The county held an emergency board meeting less than two weeks later, during which officials approved over $600,000 for cyber-recovery efforts.
As with previous months, healthcare institutions remained lucrative targets for ransomware attackers. McLaren Healthcare, based in Michigan, had to shut down certain systems on September 5 after suffering a cyber attack. Although the healthcare system did not initially confirm that ransomware was involved, the BlackCat/Alphv ransomware group mentioned a Michigan-based hospital victim on its public data leak site, prompting McLaren to eventually confirm the involvement of ransomware.
Carthage Area Hospital and Claxton-Hepburn Medical Center in New York were also targeted in an attack on August 31, which forced the hospitals to divert emergency room patients out of precaution. At that time, Richard Duvall, CEO of both hospitals, reported no ransom demands. However, on September 15, Duvall confirmed that the hospitals did receive a ransom demand. The LockBit ransomware gang later claimed responsibility for the attack.
The September decrease in reported ransomware attacks offers some respite, but the impact felt by victims such as MGM Resorts, Caesars Entertainment, Hinds County, McLaren Healthcare, and the New York hospitals underscores the continued threat posed by ransomware. It serves as a reminder that organizations across industries must remain vigilant and continue to invest in robust cybersecurity measures to mitigate the risk of falling victim to these increasingly sophisticated attacks.