pink spider hoodie The ransomware attack that hit MGM Resorts International on September 10th captured headlines due to the company’s name recognition, reputational and customer impact, and the overall magnitude of business disruption the attack caused. Visit for more information [pink spider hoodie](https://officialspider.com/) Three days earlier, another prominent resort, Caesars Entertainment, was hit by a cyber-attack. In response, Caesars reportedly paid an estimated $15 to $30 USD million ransom. In the case of the MGM Resorts attack, current estimates peg business impact at: The attacks on MGM and Caesar — two of the largest casino companies in the world — highlight the sophistication of today’s threat actors and corresponding ineffectiveness of current tools and processes used to defend against sophisticated and advanced cyber-attacks. On September 19, 2023, nine days after the MGM incident made headline news, MGM Resorts officially stated on X (formerly Twitter) that business had been fully restored. Morphisec researchers have created a possible attack flow based upon independent investigation and available data regarding: Threat actor: Researchers have linked ransomware groups ALPHV/Blackcat/Scattered Spider to the attacks on both MGM and Caesars, with ALPHV/Blackcat publicly claiming responsibility. Persistency: The group (in their blog) referenced that they had persistency in the network and had gained super administrator privileges. Backdoors: The ransomware was deployed post MGM locking out the network, which means that attackers had gained significant visibility of the network and had implanted backdoors across the network. Data exfiltration: The group also claimed to exfiltrate data; attackers mentioned that they were sorting through the data and if any PII data was found they would then post evidence of the same. SMS Spearphishing to target an administrator –> SIM Swapping –>Social Engineering IT Helpdesk to send MFA resetcode to SIM –> access to network –> Backdoors –> Recon –> Cred stealing (memory dumps) –> Lateral movement –> Encryption of ESXi Servers Based on details made available by the ransomware group and media agencies with visibility into the ongoing investigations, we believe the group targeted an MGM Resorts Administrator. Morphisec’s analysis suggest the attack took place over the following stages: A sophisticated group stealthily maintained its presence within the environment, and after gaining access exfiltrated sensitive data. The highlighted stages depict where Morphisec’s ransomware prevention would have provided early attack visibility by preventing the advanced in-memory backdoors, thus denying the attackers a foothold within the environment. At the Credential Stealing stage, attackers took DC memory dumps for the purpose of obtaining domain admin rights. Here too, Morphisec AMTD Credential Stealing protection would have prevented the theft and attack, thus affording the team early visibility and rapid containment. Internal and external resource inefficiencies were expressly indicated within the attack group’s blog. An excerpt is featured below: “MGM implemented conditional restrictions that barred all access to their Okta (—) environment due to inadequate administrative capabilities and weak incident response playbooks.“ “After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.” It appears that the MGM team were caught by surprise. In turn, MGM team efforts and responses to contain the attack led to confusion that manifested itself through a lack of incident preparedness and inadequate contingency procedures, exhibited since the attack apparently continued despite initial detection and response efforts. For example, the rapid encryption of 100 ESXi servers and the effective downtime of more than 36 hours potentially indicates a network which was not segmented very well and lacked good backup and restoration practices. Morphisec recommends implementing the following best practices to prepare against this and similar future attacks: Interested in learning how Morphisec can secure your organization from this and similar attacks? Schedule a demo today. Get the latest resources, news, and threat research delivered to your inbox.