MGM Resorts, an S&P 500® global hotel and entertainment company, recently experienced a cyberattack. The incident impacted MGM’s website, caused computer outages at locations nationwide, and interrupted the operation of slot machines, ATMs, hotel room keys, and payment systems.
On September 12, MGM released the following statement:
“MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems. Promptly after detecting the issue, we began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and are taking steps to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate.”
This incident also resulted in significant financial impact. According to NASDAQ, shares of the company’s stock have fallen 7.9%, from $43.74 to $40.29, between September 8 and 18.
The ALPHV (aka BlackCat) ransomware group claimed responsibility for this attack.
Update from ALPHV’s Dark Web Site
Arete has gained a deep understanding of ALPHV/BlackCat operations by working with nearly 100 clients impacted by the ransomware group since 2021. Arete’s Threat Intelligence team monitors multiple data leak sites and discovered that on September 14, the ALPHV group claimed they gained access to the MGM network on September 8. After multiple failed attempts to get in touch with the victim, ALPHV released their ransomware payload to more than 100 ESXi hypervisors in MGM’s network environment:
In this post, the group states:
“Their network has been infiltrated since Friday.”
“After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.”
“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point.”
“We still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to… reach out as they have clearly demonstrated that they know where to contact us.”
Insights on ALPHV/BlackCat
Arete’s mid-year Crimeware Report, Turning Tides – Navigating the Evolving World of Cybercrime, highlighted ALPHV/BlackCat as one of the top ransomware groups observed in the second half of 2022 (H2 2022) and the first half of 2023 (H1 2023) based on data from our incident response engagements.
Additional data also reveals that ALPHV/BlackCat remains one of the top three threat actor groups observed by Arete since Q3 of 2022.
Below are insights on ALPHV based on Arete’s incident response engagements:
- Sectors affected include entertainment, critical infrastructure, financial services, healthcare, manufacturing, professional services, public services and retail.
- Average ransom demand: $1,992,971
- Percentage of time data exfiltration occurs: 70%
- Average business downtime: 5.3 days
- Tools used: CobaltStrike, Mimikatz, Megasync, LaZagne, and WebBrowserPassView
- ALPHV/Blackcat uses various entry points to infect the victim’s network, including phishing emails, compromised credentials, and remote desktop protocol (RDP) brute force attacks.
- Other malware is used as a stepping stone to launch the ransomware payload.
- To increase potential reach and impact, the group targets both Windows and Linux devices, as well as network-attached storage (NAS) devices, which are often used to store backups and sensitive data.
To learn more about ALPHV/BlackCat and how to protect your organization from cyberattacks, download Turning Tides – Navigating the Evolving World of Cybercrime.
Our team of experts is here to assist you with this and any other related cyber incidents. Available services include Incident Response & Forensics, Threat Actor Negotiations, Crypto Operations, Security Operations (SOC), Restoration, and Threat Intelligence.
Cyber Emergency Hotline: 866.210.0955
New Engagements: [email protected]
Sources:
- https://investors.mgmresorts.com/investors/news-releases/press-release-details/2023/MGM-RESORTS-INTERNATIONAL-STATEMENT-ON-CYBERSECURITY-ISSUE/default.aspx
- https://www.bankinfosecurity.com/big-mgm-resorts-outage-traces-to-ransomware-researchers-say-a-23068
- https://www.nasdaq.com/market-activity/stocks/mgm
Related Resources
![]()
ALPHV/BlackCat Seemingly Returns to Business as Usual
Despite law enforcement’s disruption to ALPHV/BlackCat’s infrastructure in December 2023, the group has since resumed operations.
Read more
Law Enforcement Actions Leave ALPHV/BlackCat Scrambling to Salvage Operations
Through a coordinated law enforcement effort spearheaded by the FBI, ALPHV/BlackCat infrastructure was disrupted on December 7, 2023, in an operation publicly announced on December 19, 2023.
Read moreVideo: Managed Services Client Story
After seeing the rise of cyber attacks, a non-profit organization became serious about protecting its systems and building cyber resilience.
Read more
