Something curious is happening in Las Vegas. Long lines are snaking down the lobbies of some of the swankiest casinos on the strip, as hotel staff manually check in guests.
Call centres have ground to a halt, parking machines are down, kiosks in the sports book are incapable of taking wagers, and booking websites for some of Sin City’s most popular casinos were taken offline for an uncomfortably long time.
Social media is rife with videos of sad looking gaming floors with blank screens on slot machines, radios placed in elevators in lieu of emergency phone systems, guests complaining of key cards to rooms not working, and much, much more.
What’s behind all this chaos? It’s not a natural disaster, nor is it a power cut. The disruption has been caused by a large scale, destructive cyber-attack that appears to have crippled a huge part, if not all, of the networks belonging to MGM, the group that owns properties like the MGM Grand, Cosmopolitan and Bellagio.
Hotel guests waiting to check in at Luxor - Image credit: Las Vegas Review-Journal
The immediate impact has been enormous, and it's unclear just how difficult it has been to contain the incident. The FBI has become involved in the investigation, and the crisis has been escalated to the highest levels of state, with Nevada governor Joe Lombado coordinating with local and national law enforcement.
Some clues about the nature of the attack have been trickling out through the media. A ransomware group ALPHV, also known as BlackCat, is responsible according to a report by malware archive vx-underground, who claims that MGM, for now, is refusing to meet the gang’s demands to pay a ransom.
What is most alarming is claims that the cybercriminals practically waltzed their way into the MGMs systems, with a well-crafted phishing attack.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” vx-underground wrote in a Twitter post.
“A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” it added.
How long the disruptions will continue for, and the extent of the damage, is still unknown – but an MGM spokesperson told media that the incident was having impacts beyond Las Vegas, with the company’s locations in other states also affected.
Similarly, rumours are swirling on social media of impacted customers seeing strange transactions on their credit cards, and concerned employees wondering if they will be paid on time.
“This attack it is not surprising and could even be seen as predictable. This industry is a prime target for cybercrime, and unfortunately never really seems to improve,” says Alastair Miller, Principal Consultant at Aura Information Security, citing similar attacks on other casino groups such as major breaches in 2015 and 2016 of the Hard Rock Hotel and Casino.
Nor is this the first time MGM has faced a major cyber incident - In 2019, approximately 10 million MGM guests had their data published on a Russian hacking forum following a major breach.
“Casinos and hotels are popular targets due to large flow of people, PII (Personal Identifiable Information) and money. The industry is tied to a long history of underinvestment in cybersecurity and poorly paid employees who are untrained and don’t really care, making it a target well worth the attention of criminals.”
Alastair says the attack highlights the role people can play in keeping your business secure.
“Social engineering is an excellent way to get elevated privileges quite quickly. Training staff and giving them the processes to work securely are key in this area. Also paying them well so they feel motivated to actually care helps,” he adds.
So what will MGM do next?
“MGM will be concentrating on getting the cashflow services up and running. This unfortunately probably means that other systemic issues will be ignored,” says Alastair.
The disruptions will no doubt be harming the business’s bottom line. With Forbes estimating MGM’s Las Vegas Strip properties generate around $13million USD per day just from casinos and hotels, each day that services are partially down will be having a material impact on gross revenues.
Alastair says as the impacts of the cyber-attack drag on, the pressure on MGM to pay a ransom will ramp up.
“If MGM is seeing a marked decrease in cashflow due to being unable to offer numerous services, executives can quickly make a calculation on how long downtime costs exceed the value of paying a ransom.”
While it’s yet to be seen whether MGM will grow the appetite to pay its way out of its current misery, it’s worth noting that its competitor Caesar’s Entertainment this month paid a USD$15million ransom to ward off its own cyber-attack.
For now, Las Vegas appears to be limping on, as the ire of disgruntled guests echoes throughout the Strip and on social media, with no end in sight.