MGM Resorts made a bold decision following a ransomware attack in September — the hospitality and casino giant chose not to negotiate with cybercriminals. And now, based on its recent Securities and Exchange Commission (SEC) disclosure, it seems that the gamble has paid off.
This incident response strategy taken by MGM was in sharp contrast to that of Caesars Entertainment, which, after being breached by the same threat actors, decided to pay a negotiated ransom of $15 million to swiftly move on. In the days following the cyberattacks on the casino industry, Caesars was able to resume day-to-day operations, while MGM struggled to regain control for over a week.
According to MGM’s revised SEC disclosure filing (form 8-K), the company suffered approximately $100 million in losses as a result of the breach. At first glance, this seems like a significant amount. However, MGM clarified that these losses will only have a slight impact on the company’s financials for the third quarter, with minimal potential spillover into the fourth quarter. To put it into perspective, in the second quarter alone, MGM recorded nearly $4 billion in revenue across its global operations, with $2.1 billion coming from its Las Vegas properties.
“The Company does not expect that it will have a material effect on its financial condition and results of operations for the year,” stated MGM. Looking ahead, they are already anticipating a boost to their fourth quarter earnings from the November Formula 1 racing event coming to the Vegas Strip.
On the other hand, Caesars may have recovered and resumed operations more quickly, but in doing so, they rewarded cybercriminal activity and may have overlooked crucial recovery work, according to Anne Cutler, a cybersecurity evangelist with Keeper Security.
Cutler points out that paying a ransom to cybercriminals does not guarantee the full return of an organization’s systems and data. Instead, it only further supports the ransomware ecosystem. “Although the $100 million in losses are costly on the surface, MGM’s decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government, and law enforcement,” Cutler explains.
This outcome presents a surprising business case for refusing to negotiate with cybercriminals following a ransomware attack. It challenges the notion that deep pockets make organizations better or worse targets for ransomware.
Viakoo CEO Bud Broomhead emphasizes that no company is truly too big to hack. The key lies in building resilience to withstand hacking attempts. He suggests that MGM’s significant investment in backup and recovery may have enabled them to quickly identify their vulnerabilities and become even more resilient for future attacks.
Cutler further adds that small- and midsize businesses are more vulnerable to the devastating impacts of a ransomware attack. Such an attack could force them out of business entirely. Larger businesses, like MGM, have the financial capacity to absorb the costs of remediation.
Instead of deciding whether or not to pay after a ransomware attack, it is wiser for businesses to continuously invest in cybersecurity technology to keep up with evolving threats. According to Omri Weinberg, co-founder of DoControl, no company can ever be fully immune to cyber attacks. It’s crucial to strategically allocate resources and funds to strengthen cybersecurity practices. Adversaries will always be more sophisticated, making it a never-ending game.
Despite the risks, Broomhead commends MGM’s incident response to the ransomware attack, stating that they deserve credit for not paying the ransom. He hopes that their example will encourage more organizations to prioritize resiliency and business continuity. “It’s never a question of will you be hacked, just when you’ll be hacked and how prepared you are for it,” Broomhead concludes.
In conclusion, by opting not to negotiate with cybercriminals, MGM Resorts has showcased an alternative approach to dealing with ransomware attacks. While the losses may appear significant, their decision aligns with the guidance of experts, government agencies, and law enforcement. Moreover, their resilience and dedication to cybersecurity have positioned them for continued success in the industry. This case serves as a reminder for businesses of all sizes to invest in robust cybersecurity measures to protect against the ever-evolving threat landscape.