Skip to Main Content

Article

ALPHV/BlackCat Ransomware Group Claims Responsibility for MGM Resorts Attack

Share

Summary

The ALPHV/ BlackCat ransomware group claimed responsibility for the MGM Resorts cyberattack in September 2023. The attack disrupted MGM’s operations, including slot machines, ATMs, and payment systems, causing significant financial and operational damage. Arete’s detailed analysis highlights ALPHV/BlackCat’s methodologies and the sectors affected by their attacks.


MGM Resorts recently identified a cybersecurity issue affecting certain of the Company's systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems an

MGM Resorts, an S&P 500® global hotel and entertainment company, recently experienced a cyberattack. The incident impacted MGM’s website, caused computer outages at locations nationwide, and interrupted the operation of slot machines, ATMs, hotel room keys, and payment systems.

On September 12, MGM released the following statement:

“MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate.”

This incident also resulted in significant financial impact. According to NASDAQ, shares of the company’s stock have fallen 7.9%, from $43.74 to $40.29, between September 8 and 18.

The ALPHV (aka BlackCat) ransomware group claimed responsibility for this attack.

Update from ALPHV’s Dark Web Site

Arete has gained a deep understanding of ALPHV/BlackCat operations by working with nearly 100 clients impacted by the ransomware group since 2021. Arete’s Threat Intelligence team monitors multiple data leak sites and discovered that on September 14, the ALPHV group claimed they gained access to the MGM network on September 8. After multiple failed attempts to get in touch with the victim, ALPHV released their ransomware payload to more than 100 ESXi hypervisors in MGM’s network environment:

Source: Arete
Source: Arete

In this post, the group states:

“Their network has been infiltrated since Friday.”

“After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.”

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point.”

“We still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to… reach out as they have clearly demonstrated that they know where to contact us.”

Insights on ALPHV/BlackCat

Arete’s mid-year Turning Tides – Navigating the Evolving World of Cybercrime, highlighted ALPHV/BlackCat as one of the top ransomware groups observed in the second half of 2022 (H2 2022) and the first half of 2023 (H1 2023) based on data from our incident response engagements.

Source: Arete

Additional data also reveals that ALPHV/BlackCat remains one of the top three threat actor groups observed by Arete since Q3 of 2022.

Source: Arete

Below are insights on ALPHV based on Arete’s incident response engagements:

  • Sectors affected include entertainment, critical infrastructure, financial services, healthcare, manufacturing, professional services, public services, and retail.
  • Average ransom demand: $1,992,971
  • Percentage of time data exfiltration occurs: 70%
  • Average business downtime: 5.3 days
  • Tools used: CobaltStrike, Mimikatz, Megasync, LaZagne, and WebBrowserPassView
  • ALPHV/BlackCat uses various entry points to infect the victim’s network, including phishing emails, compromised credentials, and remote desktop protocol (RDP) brute force attacks.
  • Other malware is used as a stepping stone to launch the ransomware payload.
  • To increase potential reach and impact, the group targets both Windows and Linux devices, as well as network-attached storage (NAS) devices, which are often used to store backups and sensitive data.

To learn more about ALPHV/BlackCat and how to protect your organization from cyberattacks, download Turning Tides – Navigating the Evolving World of Cybercrime.

Our team of experts is here to assist you with this and any other related cyber incidents. Available services include Incident Response & Forensics, Threat Actor Negotiations, Crypto Operations, Security Operations (SOC), Restoration, and Threat Intelligence.

Cyber Emergency Hotline: 866.210.0955

New Engagements: [email protected]

Sources: