The ALPHV/BlackCat ransomware operation appears to be behind the ongoing cyber attack on US hospitality and leisure operator MGM Resorts, which has disrupted operations at Las Vegas casinos including Bellagio, Excalibur, Luxor, Mandalay Bay, the MGM Grand and New York-New York.
First revealed by malware research collective VX-Underground, the gang claimed it had conducted a successful social engineering attack against an MGM Resorts employee they found on LinkedIn, then called into the organisation’s IT help desk to obtain access to the victim’s systems.
“A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” VX-Underground observed in a post to its X (formerly Twitter) account.
As the disruption from the cyber attack enters its fifth day, MGM Resorts has yet to confirm or deny the claims, and has made no further statement aside from acknowledging it has identified a cyber security “issue”. It said its sites are operating normally, although its public-facing website remains inaccessible.
According to other outlets, guests at the group’s properties have reported issues ranging from having to check in using pen and paper, room keys not working – which MGM Resorts has denied to be the case, in-room phone, TV and Wi-Fi outages, unavailable slot machines, and problems using credit and loyalty cards.
Charles Carmakal, chief technology officer of Google Cloud’s Mandiant Consulting, said the BlackCat gang – which is tracked in Mandiant’s taxonomy as UNC3944 – remains one of the most prevalent and aggressive threat actors currently operating.
“They have recently gained a lot of attention because of their recent targeting of hospitality and entertainment organisations,” he said. “Although members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation state espionage actors, they are a serious threat to large organisations.
“Many members are native English speakers and are incredibly effective social engineers,” said Carmakal. “They are incredibly disruptive and aggressive. They cause IT outages in several ways which don’t necessarily involve the deployment of ransomware encryptors.
“However, over the past few months, we’ve seen them deploy Black Cat encryptors in a subset of the victim environments that they’ve compromised. And they leverage the ALPHV shaming infrastructure for a few of the victims they extort. They leverage tradecraft that is challenging for many organisations with mature security programmes to defend against.”
Considered one of the “top” active ransomware threats, BlackCat has claimed a slew of victims in recent months, including Barts NHS Trust in London, and cosmetics giant Estée Lauder.
Focus on data recovery
Steve Stone, head of Rubrik Zero Labs, told Computer Weekly that MGM Resorts would be largely focused on data recovery to restore critical operational capabilities.
“These recovery motions will either be guided by visibility, prioritisation and understanding the current attacker access, or they will be conducted as ‘blind’ events,” he said. “Organisations conducting blind recovery will struggle with losing too much data, as they might recover from a longer period than needed, or else reintroducing the attackers if the recovery point is after attackers gained access.
“Successful, timely recovery is guided by smart decision-making on the sequencing of recovery – everything can’t be recovered at once – ensuring the attackers lose access by recovering from before the intrusion, and that minimal data loss occurs by recovery as close to the intrusion as possible. The most successful organisations in recovery situations are able to leverage visibility of their data in offline, immutable stores combined with intrusion knowledge.”
Stone observed that historically, organisations that have already drawn up a recovery plan and tested it almost always get back on their feet quicker, as recovery becomes a matter of simply executing against a set of processes – those without are inevitably hamstrung for much longer as their IT teams must additionally conduct discovery and workflow mapping during a crisis, with dramatically reduced visibility.
He added that even though double extortion – encryption plus exfiltration and extortion – attacks have been commonplace since 2020, most organisations are still unprepared for the second step.
“This is especially challenging when an environment is actively encrypted and/or undergoing an intrusion,” he said. “The ability to assess if data was stolen, what that data contains, and how to deal with a potential data loss extortion threat prove critical in modern ransomware intrusions.”