With the FBI responding to more than 2,300 ransomware reports in 2022 alone, these attacks can seem commonplace—but certain incidents, due to their size, scope and victims, stand out from the rest and require attention from cybersecurity experts interested in protecting their infrastructure. One of these happened in early September when a cybercriminal gang targeted MGM Resorts, which runs several casinos in Las Vegas, with crypto-locking malware.
While MGM and its security team raced to respond to this ransomware incident, Caesars Entertainment published a financial disclosure statement that the company had sustained a data breach at about the same time. Later, The Wall Street Journal reported that the company paid out a portion of a $30 million demand, indicating the casino also sustained a ransomware attack.
For its part, MGM did not appear to pay the extortion, but reports indicated some of the casinos it oversees sustained numerous issues such as room keycards not working, ATMs without cash, and slot machines and other games not functioning.
Anatomy of an Attack
One of the many aspects of the MGM attack that stands out is that cybercriminals appear to have found a company employee profile on LinkedIn and then used social engineering techniques (including vishing), which springboarded the attackers into the wider network. The threat actors were then able to compromise Okta servers that provide identity and access management and multifactor authentication services as well as encrypt ESXi hypervisors, according to Bleeping Computer.
The investigation into the two incidents at these casinos remains active, but early reports indicate that the attacks are related to a Russian-linked group called Scattered Spider, which is affiliated with a larger criminal network dubbed ALPHV or BlackCat.
These disruptive and destructive incidents involving MGM and Caesars should not be viewed in isolation, experts noted. Instead, these ransomware attacks require study. Through a better understanding of what happened, tech professionals have a chance to take some key lessons away from these incidents and work to improve their organization’s security posture, which can prevent or minimize future attacks, whether it’s ransomware or some other type of threat.
“The realistic lesson that we need to learn is how we in cybersecurity approach human cyber risk management and the connection between people-targeted attacks, like the reported vishing call in the MGM breach, and human threat intelligence and swift incident response,” said Mika Aalto, co-founder and CEO of security firm Hoxhunt.
Lesson 1: Take the Time to Upskill
As cybercriminal gangs become aggressive with their techniques (the FBI recently issued a warning about attacks involving multiple ransomware variants), tech and security professionals should look to incidents like the ones involving MGM and Caesars and see what skills they need to combat these attacks.
As criminal gangs also take advantage of newer developers, such as generative artificial intelligence (A.I.), the need for new skills grows, Aalto added.
“It's imperative that we upskill the people who are being targeted by phishing attacks and connect them with security teams upon human risk management platforms that accelerate [security operation center] response to reported threats and irregularities. Speed is absolutely crucial in incident response,” Aalto told Dice. “The faster someone can alert the SOC of a threat, the faster the security team can eliminate or contain that threat's spread.”
Lesson Two: Managing Risk
While gaining new technical skills might seem the most logical step following an attack, experts noted that security and tech pros need to know how to manage the risk their organization faces from cyber threats.
“Taking a proactive approach to monitoring, detection and response is a critical and foundational component to this strategy and should be a key part of any cybersecurity program,” George Jones, CISO at Critical Start, told Dice. “Coupling this with reducing attack surface, user training and enhanced security controls can put an organization in a strong posture to minimize exposure to threat actors and reduce the opportunity for events to occur that negatively impact the company.”
There are three areas where tech pros can help reduce risk to their organization, according to Jones. These include:
- Security Awareness Training: Organizations and their tech and security teams should invest in ongoing security awareness and training programs. All organizations should make this a requirement for all employees, including executives. The key skills should include phishing recognition and awareness and social engineering avoidance.
- Threat Hunting: Organizations should either develop a proactive threat-hunting capability to identify and mitigate threats before they can cause harm or work with a vendor that can provide this capability.
- Communication Skills: Tech and security leaders should seek to improve their ability to communicate security risks and strategies to technical and non-technical stakeholders.
Lesson Three: Bring Security to Everyone
In many ransomware incidents, such as the one that happened to MGM, cybercriminals look for weaknesses to exploit, including employees who might not be aware of every single threat or commit an unintended error, such as clicking on a phishing email or opening a malicious attachment.
This is one reason why jobs such as cybersecurity instructor are becoming more popular with many types of companies and organizations.
By helping to understand the threat landscape and ensuring that employees are aware of what can happen, tech pros can take the skills they are learning and bring them to the entire organization.
“Employee training and education on cybersecurity best practices is another vital step in protecting an organization from a cyberattack,” Darren Guccione, CEO and co-founder at Keeper Security, told Dice. “These best practices include educating employees about what to look out for in phishing and social engineering attacks as well as avoiding risky attachments and websites. Employees must also understand the importance of having a unique and strong password for every account and enabling multi-factor authentication wherever possible.”
Lesson Four: Focus on Data
While strongarming a casino might seem the best way to get away with a lot of cash, it’s the customer and financial data that is important to criminal gangs. The ransomware group can either sell the data or extort the organization by threatening to release the information on the dark web.
It’s why any skill training for tech pros needs to include more insights into what data that organization holds and why this data might be valuable to someone who wants to steal it.
“In both cases, once the attackers gained access to the internal systems, they targeted massive datasets both containing sensitive customer information,” Dan Benjamin, CEO and co-founder at Dig Security told Dice about the attacks at MGM and Caesars. “As these threats remain relevant for enterprises that rely heavily on data, their best approach is to reduce their attack surface by focusing on the most critical and sensitive data.”