Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Cyber Stakes: The MGM Ransomware Roulette

September 2023 by Check Point

On the 12th of September 2023, MGM Resorts was reportedly subjected to a ransomware attack that took multiple systems offline at some of its major locations in Las Vegas. The attack left guests locked out of their rooms and unable to transact both on site and through the MGM mobile app. Eventually the affected casino hotels had to process transactions manually. It is expected that this incident will have a material effect on its operations as it continues to deal with the fallout.

At the time of reporting the incident, it was unclear who was behind the campaign, although there was speculation circulating on social media platforms. What we now know is that prolific ransomware group ALPHV has confirmed responsibility, publishing a statement on their Dark Web website in a move that marks the first time the group has publicly disclosed their involvement in an attack.
In the statement, they discuss how they infiltrated MGM Resorts on the 11th of September after many attempts to reach out to them. They have not confirmed what PII (Personally Identifiable Information) has been exfiltrated while they continue negotiations with MGM. However, they stated they will notify external sites such as if conversations with MGM do not lead to a resolution in their favor. You can read the full statement below.

ALPHV and the rise of Mega Ransomware
Like many established ransomware groups, ALPHV has evolved to become a well-organized operation carrying out large-scale attacks on high profile companies.
ALPHV (also known as BlackCat) is a ransomware-as-a-service (RaaS) threat actor that emerged in late 2021. It is known for using the Rust programming language and has capabilities to attack Windows and Linux-based operation systems. ALPHV is marketed on cybercrime forums and operates an affiliate program. Some affiliates have targeted organizations in a variety of industries, including healthcare, manufacturing, and government. The group has been known to leak stolen data if its ransom demands are not met and operates several Dark Web blogs for this purpose.
ALPHV is one of the major RaaS threat groups, responsible for almost 9% of all published victims in the past 12 months on Dark Web shame sites, preceded only by cl0p and Lockbit.

In the last 12 months, ALPHV published the identity of around 400 of its victims who refused to pay the ransom. The geographical distribution of its victims is typical of the ransomware ecosystem, with more than half based in the USA.

In August 2023, Check Point Research observed 918 average weekly cyberattacks per organization in the leisure/hospitality industry globally, with 396 occurring in the US. It was the 11th most attacked sector in H1. ALPHV has targeted victims across multiple sectors including manufacturing, healthcare and legal.

Sergey Shykevich, threat intelligence group manager at Check Point Research said: “This incident is yet more proof of the growing trend of ransomware attackers focusing on data extortion and targeting of non-windows operating systems. The model of ransomware as a service (RaaS) continues to be very successful, combining strong technological infrastructure for the attacks, with savvy and sophisticated affiliates that find the way to penetrate major corporations.
We can only speculate on what their next move may be, but what we do know is that organized groups like ALPHV are not afraid to publish data if their demands are not met. Regardless of their decision, MGM should keep hotel guests and visitors informed on what information may have been obtained. It is another cautionary tale for all organizations to regularly check their access controls and make sure they have end to end security processes in place.”

Statement of ALPHV group on MGM Resorts International: Setting the record straight

We have made multiple attempts to reach out to MGM Resorts International, “MGM”. As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight. No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.
MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan.
On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta ( environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to “take offline” seemingly important components of their infrastructure on Sunday.
After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.
In our MGM victim chat, a user suddenly surfaced a few hours after the ransomware was deployed. As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present.
We posted a link to download any and all exfiltrated materials up until September 12th, on September 13th in the same discussion. Since the individual in the conversation did not originate from the email but rather from the hypervisor note, as was already indicated, we were unable to confirm whether they had permission to be there.
To guard against any unneeded data leaking, we added a password to the data link we provided them. Two passwords belonging to senior executives were combined to create the password. Which was clearly hinted to them with asterisks on the bulk of the password characters so that the authorized individuals would be able to view the files. The employee ids were also provided for the two users for identification purposes.
The user has consistently been coming into the chat room every several hours, remaining for a few hours, and then leaving. About seven hours ago, we informed the chat user that if they do not respond by 11:59 PM Eastern Standard Time, we will post a statement. Even after the deadline passed, they continued to visit without responding. We are unsure if this activity is automated but would likely assume it is a human checking it.
We are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement with MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take the first steps of notifying Troy Hunt from He is free to disclose it in a responsible manner if he so chooses.
We believe MGM will not agree to a deal with us. Simply observe their insider trading behavior. You believe that this company is concerned for your privacy and well-being while visiting one of their resorts?
We are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past 12 months, while 7 insiders have sold shares for a combined 33 MILLION dollars. ( This corporation is riddled with greed, incompetence, and corruption.
We recognize that MGM is mistreating the hotel’s customers and really regret that it has taken them five years to get their act together. Other lodging options, including casinos, are undoubtedly open and happy to assist you.
At this point, we have no choice but to criticize outlets such as The Financial Times for falsely reporting events that never happened. We did not attempt to tamper with MGM’s slot machines to spit out money because doing so would not be to our benefit and would decrease the chances of any sort of deal.
The rumors about teenagers from the US and UK breaking into this organization are still just that—rumors. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it. Starting to the actors’ identities as they are so well-versed in them.
The truth is that these specialists find it difficult to delineate between the actions of various threat groupings, therefore they have grouped them together. Two wrongs do not make a right, thus they chose to make false attribution claims and then leak them to the press when they are still unable to confirm attribution with high degrees of certainty after doing this. The Tactics, Techniques, and Procedures (TTPs) used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.
The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to falsely claim that we had claimed responsibility for the attack before we had.
We still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.

Check Point Customer using Harmony Endpoint and Anti Ransomware remain protected against such ransomware threats
Practical advice: Preventing ransomware and other attacks
Against a backdrop of advanced cybersecurity tools, organizations need to exercise good security hygiene across on-premise, cloud and hybrid networks all the way up to the board level. There are several actions that leaders can take to minimize exposure to and the potential impacts of an attack.

Here are a few simple tips to keep you safe:
1. Robust Data Backup
The goal of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack.
2. Cyber Awareness Training
Phishing emails are one of the most popular ways to spread ransom malware. By tricking a user into clicking on a link or opening a malicious attachment, cybercriminals gain access to the employee’s computer and begin the process of installing and executing the ransomware on it. Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware, leveraging their own staff as the first line of defense in ensuring a protected environment. This training should instruct employees on the classic signs and language that are used in phishing emails.
3. Up-to-Date Patches
Keeping computers up-to-date and applying security patches, especially those labelled as critical, can help to limit an organization’s vulnerability to ransomware attacks as such patches are usually overlooked or delayed too long to offer the required protection
4. Strengthening User Authentication
Enforcing a strong password policy, requiring the use of multi-factor authentication, and educating employees about phishing attacks designed to steal login credentials are all critical components of an organization’s cybersecurity strategy.
5. Anti-Ransomware Solutions
Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done.
6. Utilize Better Threat Prevention

Most ransomware attacks can be detected and resolved before it is too late. You need to have automated threat detection and prevention in place in your organization to maximize your chances of protection, including scanning and monitoring of emails, and scanning and monitoring file activity for suspicious files. AI has become an indispensable ally in the fight against cyberthreats. By augmenting human expertise and strengthening defense measures, AI-driven cybersecurity solutions provide a robust shield against a vast array of attacks. As cybercriminals continually refine their tactics, the symbiotic relationship between AI and cybersecurity will undoubtedly be crucial in safeguarding our digital future.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts