Breach Notification , Critical Infrastructure Security , Cybercrime
Caesars Confirms Ransomware Payoff and Customer Data Breach
MGM Resorts Continuing to Be Extorted by the Same Alphv/BlackCat Ransomware GroupCasino and hotel giant Caesars Entertainment is warning customers that their personal details were stolen in a recent hack attack. After successfully shaking down Caesars for a ransom, the same attackers are continuing to extort MGM Resorts, claiming to have crypto-locked its EXSi hypervisors.
See Also: 57 Tips to Secure Your Organization
Both attacks by the Alphv ransomware group, which spun off from Conti and is also known as BlackCat, first came to light publicly this week. MGM Resorts continues to face widespread IT outages as a result (see: Big MGM Resorts Outage Traces to Ransomware, Researchers Say).
Caesars has reported no outages and said that while its investigation remains ongoing, it has confirmed that an attacker stole information on customers, including a copy of its loyalty club member database that includes driver's license or Social Security numbers for many individuals (see: Caesars Entertainment Reportedly Pays Ransom to Attackers).
"We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor," Caesars said Thursday in a Form 8-K "report of unscheduled material events or corporate event" filing to the U.S. Securities and Exchange Commission. The company said it's not yet clear if attackers also stole passwords, PINs, bank account details or credit or debit card data.
Caesars has not said when the attack against it started, saying instead that it "recently identified suspicious activity" in its IT environment "resulting from a social engineering attack on an outsourced IT support vendor used by the company." The company said that on Sept. 7 it confirmed the hacker stole data.
"Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption," the company said.
Caesars said it will offer identity theft monitoring to all affected individuals and that "in the coming weeks" it will be contacting victims directly as required by states' data breach notification rules.
News of the ransomware attack against Caesars was first reported Wednesday by Bloomberg. The business paid a ransom to Alphv worth approximately half of the $30 million attackers had demanded, The Wall Street Journal reported.
In its SEC filing, Caesars appears to confirm the ransomware payment. "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result," it said.
Extortionists Threaten MGM
Public signs of the attack against MGM Resorts first appeared Monday, amid widespread reports that the company's hotels and casinos in Las Vegas and beyond were suffering IT failures. Guests reported being unable to use key cards to access their rooms, pay using credit cards in restaurants or withdraw money from ATMs, among other disruptions.
In a Tuesday statement, MGM Resorts blamed the outages on an unspecified "cybersecurity issue" and said it was continuing "to implement measures to secure its business operations and take additional steps as appropriate" as part of an ongoing investigation. The company also said it was "taking steps to protect our systems and data, including shutting down certain systems."
While MGM Resorts didn't say if it was attacked by a ransomware group, Alphv claimed credit for the attack in communications with the VX-Underground malware research group.
The attackers continue to try and extort MGM Resorts, which reported 2022 annual revenue of $13.1 billion, including by listing it on its Tor-based data leak site and detailing the attack.
In a statement, the ransomware group said it had infiltrated MGM Resorts' IT environment on Sept. 8, gaining admin-level access to its Okta identity servers and "Azure tenant," which may refer to the company's Active Directory implementation. The attackers said MGM Resorts proactively deactivated parts of its network on Saturday and Sunday.
On Monday, Alphv said that after it had demanded a ransom and MGM Resorts didn't pay - or allegedly even attempt to communicate - "we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment."
The attackers notably avoid confirming if they stole any data. Instead, their statement includes extensive self-promotion and makes unsubstantiated claims about MGM Resorts' business practices, all of which are typical moves by ransomware-wielding extortionists.
"Similar to many of these ransomware manifestos this one is self-indulgent and full of faux indignation," said Allan Liska, principal intelligence analyst at Recorded Future, in a blog post. "This, of course, completely ignores the fact that they are the criminals here, they broke into the networks, stole data, locked systems and are threatening to leak sensitive data unless MGM pays their extortion demands."
Ransom Payment Problems
Neither Caesar nor MGM Resorts responded to requests for additional information about the attacks against them or their response.
The approximately $15 million ransom payment Caesars gave to its attackers would be a small fraction of its annual revenue of $11.4 billion for the year ending June 30, it reported.
Law enforcement officials and security experts warn that paying ransoms to attackers rewards criminality and perpetuates this illicit business model, driving repeat attacks and attracting newcomers. Experts acknowledge that choosing whether or not to pay is a business decision and that sometimes a victim must pay for a decryptor to restore encrypted data or risk going out of business.
Ransomware and law enforcement experts continue to urge victims to never pay a ransom for any other reason, such as what Caesars has done, which is for a promise from extortionists to delete data they stole. A victim will never have any proof this promise has been kept, and experts say there is no evidence showing such a promise has ever been honored.
"You can't audit that - threat actors deleting the data. You can't look in every corner of every cybercriminal forum to see if the information is being sold or shopped anyway," Bill Siegel, CEO of ransomware response firm Coveware, told Information Security Media Group (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
"There's no way to tell if the threat actor is going to come back and re-extort the organization later on, and in a lot of cases we see, that ends up happening," he said.