MGM Resorts ransomware (Scattered Spider + ALPHV)
Scattered Spider vished an MGM IT-desk agent, gained Okta admin, and let ALPHV detonate ransomware. Casinos went offline for ten days; the loss to MGM exceeded $100 million.
- Victim
- MGM Resorts International
- Loss
- $100.0M
- users
- 6.0M
Across 8โ10 September 2023, the loosely-organized social-engineering crew known as Scattered Spider (UNC3944) brought MGM Resorts to a near-complete IT halt โ not through malware, but through a ten-minute phone call to the IT help desk.
What happened
Scattered Spider operators identified an MGM IT employee on LinkedIn, called the help desk impersonating that employee, and convinced an agent to reset the victim's MFA. From the foothold, they escalated to Okta administrative privileges, federated the directory to attacker-controlled infrastructure, and harvested credentials across MGM's environment.
When MGM detected the activity on 10 September and began severing access, Scattered Spider handed off to ALPHV/BlackCat affiliates, who detonated ransomware on more than 100 ESXi hypervisors. MGM refused to pay; the casino floor went dark.
Impact
- Roughly ten days of disruption across MGM's Las Vegas properties: slot machines, room keys, ATMs, and reservation systems offline; hotel guests checked in by hand.
- ~$100 million in lost revenue per MGM's SEC 8-K filing.
- Approximately 6 million guests had names, contact info, dates of birth, and some driver's license numbers exposed.
- The same crew was tied to a parallel attack on Caesars Entertainment, which paid a ~$15 million ransom.
Why it matters
MGM is now the canonical case for help-desk social engineering as a tier-one attack vector. MFA does not help if the help desk will reset it for whoever calls; identity providers like Okta are crown-jewel infrastructure that deserve administrative rigor on par with domain controllers; and the commoditization of initial access via vishing has lowered the technical bar for catastrophic intrusions.
Financial impact
Reported costs in USD
- Business loss$90.0M
- Remediation$10.0M
Timeline
Scattered Spider operators identify an MGM IT employee on LinkedIn and place a vishing call to the IT help desk.
The help desk resets the targeted employee's MFA, granting access. Attackers escalate to Okta administrative privileges.
MGM detects anomalous Okta activity and shuts down significant portions of its IT estate. Casinos, slot machines, room keys, and websites go offline.
ALPHV/BlackCat detonates ransomware on more than 100 ESXi hypervisors after MGM declines to negotiate.
Most guest-facing systems are restored after ten days of disruption.
MGM 8-K filing puts the cost at roughly $100 million in lost revenue and incident response.
Sources
- sec.govhttps://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000789570&type=8-K&dateb=&owner=include&count=40
- mandiant.comhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware
- reuters.comhttps://www.reuters.com/technology/cybersecurity/mgm-resorts-says-cyberattack-cost-100-million-2023-10-05/