The casino and hotel company MGM Resorts has dealt with widespread system outages and service disruptions at its properties in Las Vegas and elsewhere this week following a cyberattack that the company has been scrambling to contain. Meanwhile, Caesars Entertainment said in a United States regulatory filing on Thursday that it suffered a recent data breach in which many of its loyalty program members' Social Security numbers and driver's license numbers were stolen, along with other personal data.
The two high-profile incidents have drawn scrutiny this week, with MGM customers reporting sporadic keycard issues in the company's hotels, slot machines gone dark, ATMs out of order, and other difficulties staying at MGM properties and cashing out winnings. After Bloomberg broke the news on Wednesday about the Caesars breach, The Wall Street Journal reported on Thursday that Caesars had paid roughly half of the $30 million its attackers demanded in exchange for a promise that they wouldn't release stolen customer data. While both are significant, experts emphasize that the fallout from this pair of prominent hacks fits into a broader context of ransomware attacks as a ubiquitous, unrelenting, and inveterate threat.
The recent spate of casino hacks exemplifies a larger cycle in which certain cyberattacks bring a lot of attention to digital threats and even spur governments to act. Ultimately, ransomware and data extortion attacks settle into the background again, even as they continue to wreak havoc and impact vulnerable populations.
“Attacks against casinos are dramatic and draw attention. We have whole movie and TV franchises about casino heists,” says Lesley Carhart, director of incident response at the industrial-control security firm Dragos. Still, “a lot of life-impacting attacks on critical infrastructure and health care occur far less visibly, and therefore, they aren't an easy draw for mass media. I do not think this is an issue with cybersecurity or even media in its entirety—it is a human psychology issue. We've had that problem for a long time in the industrial-control system cybersecurity space where attacks could really mean life or death, but are not a great story.”
An affiliate of the notorious ransomware group Alphv, a Russia-based gang that is also known as BlackCat, claimed responsibility this week for the MGM attack. The group denied involvement in the Caesars hack. Casinos have long been a target for attackers because they make a lot of money, hold potentially valuable customer data, and historically haven't always been well secured. MGM itself suffered a breach in 2019 in which more than 10.6 million hotel customers had their data stolen and ultimately published online by hackers.
But Alphv is known for being a prolific and ruthless attacker even when its hacks aren't garnering constant coverage and discussion. As many cybercriminals do when they are looking to extort money from victims, the gang has targeted health care organizations and other critical institutions that hold sensitive data. Alphv has even been known to release samples of stolen data, like intimate and graphic medical photos, in an attempt to pressure targets into paying their ransom.
These tactics have escalated as global law enforcement's efforts to deter cybercriminals and keep victims from paying ransoms have made inching progress. But those gains have been undermined by dogged and aggressive attackers bent on making a profit no matter the impact on victims.
“While attacks on dice joints and sausage factories are what brings ransomware into the limelight, at least it’s in the limelight," says Brett Callow, a threat analyst at the antivirus company Emsisoft. “The more attention the problem gets, the more policymakers may be inclined to try new strategies. And new strategies are desperately needed. Ransomware is at or close to record level, so the current strategies obviously are not working.”
Law enforcement around the world, including the FBI, has long discouraged victims from paying ransoms. And governments have at times been able to impose limits or bans on targets' ability to pay if a cybercriminal actor is under sanctions. But Callow says it may be time for governments to add more limitations on when ransoms and extortion demands can be legally paid, since so many actors operate with impunity in countries like Russia where they often can't be effectively prosecuted.
Ultimately, researchers suggest that while there is no simple solution to the threat of ransomware, each high-profile incident that breaks through into the public consciousness should be used as an opportunity to educate institutions and legislators about the reality of the risks and the need to invest resources in improving digital defenses proactively.
“We generally see more coverage of cases that impact end users or consumers in a way that makes daily activity more challenging—getting gas, buying meat at the grocery store, hundreds or thousands of people trying to check into a hotel room after a long day of traveling—because those impacts are a bit more tangible and relatable for the average person,” says Wendi Whitmore, senior vice president of the threat intelligence group Unit 42 at cybersecurity firm Palo Alto Networks. “If there is any silver lining to these types of cases, it could be that they garner attention that helps more organizations learn lessons proactively by studying these cases and closing potential gaps in their environments, so the same attacks are less successful in the future.”
