MGM Resorts back online after suspected ransomware attack
MGM Resorts has announced its hotels in Las Vegas are operational once again, following a prolonged outage in the wake of a serious cyber security incident that is still under investigation.
The hospitality chain endured a chaotic day in which many of its IT systems shut down, leaving guests locked out of rooms, resorts only able to accept cash payments, and slot machines inoperable.
It is not yet clear whether systems were brought down by the cyber incident itself, or as a precautionary measure taken by MGM Resorts to contain the spread of malware and prevent threat actors from performing lateral attacks.
While MGM Resorts has not detailed the nature of the incident, some experts assume it was the result of a broad ransomware operation.
“While it hasn’t been confirmed, this has all of the markings of a pretty significant ransomware attack,” said Erich Kron, security awareness advocate at KnowBe4.
“It’s clear that a significant number of systems have been impacted, leaving guests and customers in a difficult position, while clearly impacting operations across the resort portfolio.”
The incident began on Sunday 10 September. In a statement published to X (formerly Twitter) made at 08:27 (PT) on 11 September, MGM Resorts said it had identified a “cyber security issue” impacting some of its systems.
As of 16:51 (PT), MGM Resorts had announced guests were able to access their rooms and systems pertaining to gaming, entertainment, and dining were once again online.
“Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts,” the company wrote.
“We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
The chain operates well-known casinos including Aria, Mandalay Bay, and MGM Grand, all experienced significant disruption throughout the shutdown. It is cooperating with the Federal Bureau of Investigation (FBI) which has opened an investigation into the incident.
If ransomware was involved, the system shutdown could have been enacted by the company’s security team in order to prevent further spread or buy time in order to remediate lost data. A rapid response could have prevented MGM Resorts from having to pay ransomware operators.
“In response to this incident, it looks like MGM decided to take all their systems offline, which is a routine move when organisations run such large and complex networks,” said Ryan McConechy, CTO at Barrier Networks.
“Until MGM provides more information on the breach, it’s not clear the exact reason why they decided to take this action, but it is a very costly move.
“For every minute the gaming floor was down, MGM was losing money. Likewise, with reservations and their websites still being down, the company continues to suffer massive financial losses. Understandably, this may be to prevent active attackers pivoting or malware spreading, but when organisations segment their networks effectively, this scale of downtime can usually be avoided.”
At the time of writing, the MGM Resorts website is still inaccessible. In its place, the organisation has placed a notice with phone numbers for each of MGM Resorts’ hotels within Las Vegas.
This is not the first public cyber security breach that MGM Resorts has experienced. In 2020, the details of 10.6 million guests which had been stolen in a 2019 breach of the organization’s servers were leaked on a hacking forum.
In the wake of the incident MGM Resorts stated it had no evidence to suggest customer financial or password data was included in the breach.
Ⓒ Future Publishing