One paid out, one did not • The Register

/in


Feature The same cybercrime crew broke into two high-profile Las Vegas casino networks over the summer, infected both with ransomware, and stole data belonging to tens of thousands of customers from the mega-resort chains.

But despite the similar characters and plots, these two stories have disparate endings — and seem to suggest two very different takeaways to corporations confronted with extortionists’ demands and the question of paying or not paying a ransom.

The first, Caesar Entertainment, owns more than 50 resorts and casinos in Las Vegas and 18 other US states, disclosed the intrusion in an 8-K form submitted to the SEC on September 7.

In its report to the financial watchdog, Caesars cited a “social engineering attack on an outsourced IT support vendor,” which we now know was Okta, and said the crooks stole its customer loyalty program database, which contained a ton of personal information.

The casino owner also noted, in the filing, that it had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”

These steps are widely assumed to include paying a ransom — which was reportedly negotiated down to $15 million after an initial demand for $30 million.

Caesars did not respond to The Register‘s inquiries for this or previous stories about the ransomware infection.

What happens in Vegas…

From the outside, at least, it appears that Caesars suffered minimal pain and business disruption primarily because it decided to pay the ransom. Meanwhile, as Caesar’s breach became public, its neighboring resort and casino on the Vegas Strip entered its fourth day of inoperable IT systems and casinos following a “cybersecurity issue.”

That other company, of course, is MGM Resorts, which owns 31 hotel and casino locations globally. Like Caesars, MGM was also an Okta customer that fell victim to phishing attempts targeting its IT service teams.

Scattered Spider, the crime gang believed to be responsible for both intrusions, reportedly bragged that all it took to break into MGM’s networks was a 10-minute call with the help desk.

But unlike Caesars, MGM did not pay the ransom. MGM Resorts CEO Bill…

Source…