Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Caesars Entertainment Reportedly Pays Ransom to Attackers

Half of $30 Million Demand Paid to Same Group That Hit MGM Resorts, Reports Say
Caesars Entertainment Reportedly Pays Ransom to Attackers
The lobby of Caesars Palace in Las Vegas (Image: Dirk DBQ via Flickr/CC)

When gambling, they say the house always wins, but a ransomware group appears to have been bending the odds in its favor via high-stakes hits on casinos.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

After news broke this week that MGM Resorts had fallen victim to an apparent ransomware outbreak, an attack by the same ransomware group against Caesars Entertainment, based in Reno, Nevada, has come to light. While MGM Resorts hasn't said if it paid a ransom, the company's ongoing IT outages suggest it did not pay.

By contrast, Caesars did pay a ransom, worth approximately half of the initial $30 million ransomware demand it received, which the hotel and casino chain is expected to detail soon in regulatory filing to the U.S. Securities and Exchange Commission, The Wall Street Journal reported.

Caesars, which operates multiple properties - including Caesars Palace, Harrah's, Eldorado and Tropicana in Las Vegas - didn't immediately respond to a request for comment. The company's stock fell 2.7% to $52.35 on Wednesday in New York. No public reports have suggested its systems were disrupted.

Security experts say the ransom payment by Caesars will likely make the sector even more of a target. "This won't be the last Vegas casino operator targeted," John J. Rice, the IT and security manager at NYSERNet, a nonprofit internet service provider in New York, said in a LinkedIn post. "With Caesars having paid a ransom recently and MGM targeted, I would guess a smaller, less resilient casino company is next."

MGM Resorts International first warned Monday it was experiencing "a cybersecurity issue" that had forced it to use backup processes for everything from opening hotel room doors for guests to manually paying out slot machine winnings. The company said in a Tuesday statement that "our resorts, including dining, entertainment and gaming are currently operational," although guests reported challenges, such as not being able to use payment cards or withdraw cash from on-site ATMs.

MGM Resorts' outages appeared to continue Thursday. While the company has not stated that it suffered an attack, or that any ransomware or data theft was involved, the Alphv - aka BlackCat - ransomware group claimed credit for the attack to malware research group VX-Underground. The attackers said they had phoned the MGM Resorts IT help desk and socially engineered a member of staff into giving them network access.

Social Engineering Cited

Bloomberg first reported on the ransomware attack against Caesars, saying it appeared to trace to a social engineering attack against a third-party IT provider that may have begun as early as Aug. 27.

The attacker socially engineered - or tricked - an IT help desk into resetting a password, The Wall Street Journal reported. Google's Mandiant cybersecurity division told the newspaper that the attack traces to a group of hackers with the codename UNC 3944.

Also known by the codenames Scattered Spider and Muddled Libra, the group has amassed over 100 victims over the past two years and is expert at telephoning victims and convincing them to visit malicious websites or tricking help desks into giving them access, Mandiant CTO Charles Carmakal told The Wall Street Journal.

"They're good and they're persistent and they're effective because many of them are native English speakers," Carmakal said. How the group might be connected to the Alphv/BlackCat ransomware operation isn't clear.

Palo Alto's Unit 42 threat intelligence group has described the group's members as being "methodical in pursuing their goals and highly flexible with their attack strategies," and not hesitating to quickly switch tactics - drawing from "an unusually large attack toolkit" - if they didn't succeed.

"Their arsenal ranges from hands-on social engineering and smishing attacks to proficiency with niche penetration testing and forensics tools, giving this threat group an edge over even a robust and modern cyber defense plan," Unit 42 said in a June report, adding that the group regularly uses email, phone and SMS as attack vectors.

"Across many of our cases, the group demonstrated an unusually high degree of comfort engaging both the help desk and other employees over the phone, convincing them to engage in unsafe actions," it said.

Penetration testing expert Rachel Tobac said via social media that there are a number of immediate steps organizations can take to defend against these types of attacks, starting with reviewing their "phone-based identity verification protocols."

While "no one size fits all," she recommends any organization still using knowledge-based authentication, such as an employee's date of birth, switch to using one-time passwords via a verified communications channel, using callbacks - especially to battle spoofers - and referencing pre-agreed service codes or PINs.

"We can't expect every employee to be able to come up with their own identity verification protocols on the fly - it's our job to provide the right human protocols to catch this fast," said Tobac, who is the CEO of SocialProof Security.

Messing With Caesar

Whether these casino attackers will ever get brought to justice remains unclear, although things haven't turned out well for historically people who meddled with Caesar - as in the casino's namesake (see: Ransomware: Old Racket, New Look).

According to an account published by the Greek author Plutarch, in 75 B.C., a 25-year-old Julius Caesar was kidnapped by the Cilician pirates then terrorizing the Mediterranean Sea. The story goes that when kidnappers set a ransom demand, Caesar laughed it off, demanded it be raised and continued to order his kidnappers around. After Caesar's friends paid his ransom and he gained his freedom, Caesar ordered that his kidnappers be hunted down and crucified.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.