A tale of 2 casino ransomware attacks: One paid out, one did not
The same cybercrime crew broke into two high-profile Las Vegas casino networks over the summer, infected both with ransomware, and stole data belonging to tens of thousands of customers from the mega-resort chains. But despite the similar characters and plots, these two stories have disparate endings — and seem to suggest two very different takeaways to corporations confronted with extortionists' demands and the question of paying or not paying a ransom.
The first, Caesars Entertainment, owns more than 50 resorts and casinos in Las Vegas and 18 other US states, disclosed the intrusion in an 8-K form submitted to the SEC on September 7. In its report to the financial watchdog, Caesars cited a "social engineering attack on an outsourced IT support vendor," which we now know was Okta, and said the crooks stole its customer loyalty program database, which contained a ton of personal information. The casino owner also noted, in the filing, that it had "taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." These steps are widely assumed to include paying a ransom — which was reportedly negotiated down to $15 million after an initial demand for $30 million.
That other company, of course, is MGM Resorts, which owns 31 hotel and casino locations globally. Like Caesars, MGM was also an Okta customer that fell victim to phishing attempts targeting its IT service teams. But unlike Caesars, MGM did not pay the ransom. MGM Resorts CEO Bill Hornbuckle has since said that's because his company had already started rebuilding its IT systems. MGM also did not respond to The Register's requests for comment. Ultimately, MGM suffered nearly a week of outages, operational disruptions, and angry customers, costing the corporation about $100 million in losses — and now its stolen data has reportedly been leaked.
When looking at what ransomware payment end up funding (weapons development, oppressive regimes, more cybercrime and network intrusions), with all other things being equal, we'd assume most organizations would choose to not give in to extortion demands. But when looking at both casinos' outcomes, it appears as if the clear, less painful choice is to pay the ransom.
The Register 12/28/2023