On September 10th, 2023, a hacking group called BlackCat, also known as ALPHV, broke into MGM’s computer systems. BlackCat proceeded to coerce its victims into paying a ransom in exchange for the data’s release.
BlackCat employs ransomware, which is a type of software that locks up a system’s data and asks for money to unlock it. BlackCat said they got into MGM by using a trick on LinkedIn. They found an MGM employee who worked in support and fooled them into giving access to MGM’s systems by calling the help desk.
The Ransomware affected its customer-facing electronic systems such as casino and hotel computers, corporate email, restaurant reservations, hotel bookings, and digital key card access. As a result, MGM Resorts lost approximately $80 million in lost revenue.
MGM Resorts announced that its systems were back to normal operations on September 21, 2023. Although, some features like digital room keys and mobile check-in are still not operational.
“It’s all about the money. The way I look at it, you know, protect your employees and your home. It’s your home that you’re working with. You protect it to the fullest.” voiced an anonymous source with knowledge on the situation.
This cyberattack not only disrupted operations at MGM’s casino hotels in Las Vegas, but also inflicted damage to the Bellagio, Cosmopolitan, and other properties located throughout the United States. Caesars Entertainment disclosed on September 14, 2023 that they were hacked on September 7th. They admitted, “personal information of tens of millions of customers may have been compromised.”
BlackCat operates under the Ransomware-as-a-Service (RaaS) business model. This means they are able to provide their ransomware to other hackers who can use it to launch their own attacks and share the products with BlackCat. They also created a researchable database called ALPHV Collections, where they publish the data of their victims who refuse to pay the ransom.
Known Hacked information by BlackCat includes: MGM Resorts on September 10, 2023, Caesars Entertainment on September 7th, 2023, Reddit in April, 2022, and Western Digital in March 2022.
The FBI, the Cybersecurity and infrastructure Security Agency, the Nevada Gaming Control Board, and the Nevada Governor were all involved in investigating and monitoring these cyberattacks.
If ALPHV happened to be captured by law enforcement agencies, they would face serious legal consequences. They could also be charged with violating the Computer Fraud and Abuse Act (CFAA), and face lawsuits from their victims who may seek compensation or injunctive relief.
“From what I have heard, the people who hacked MGM said they were going to get us again unless we pay them. They also said there was a lot more stuff that could be touched that they haven’t accessed. They could pretty much shut Vegas down,” The anonymous source finished.
