Too Rich To Ransomware? MGM Brushes Off $100M in Losses

/in


Following September’s ransomware attack on MGM Resorts, the hospitality and casino giant swiftly decided not to engage or negotiate with cybercriminals — and based on its most recent Securities and Exchange Commission (SEC) disclosure, the gamble paid off.

MGM’s incident response strategy was a sharp left turn from Caesars Entertainment, which after it was breached by the same threat actors, decided to pay a negotiated ransom of $15 million and move on. In the days following the casino cyberattacks, Caesars was back to day-to-day operations, while MGM struggled to claw back operations for more than a week.

In its revised SEC disclosure form 8-K, MGM reports it lost about $100 million as a result of the breach, which seems like a hefty price tag at first blush. However, the company noted that the losses will only slightly impact the company’s third quarter financials, with minimal potential spillover into the fourth quarter. For comparison’s sake, MGM hauled in nearly $4 billion in revenue in the second quarter of the year, across its global operations — and $2.1 billion in revenue from its Las Vegas properties alone.

“The Company does not expect that it will have a material effect on its financial condition and results of operations for the year,” MGM said. The casino juggernaut is already looking forward to November Formula 1 racing coming to the Vegas Strip, which it added will boost its fourth quarter earnings significantly.

Caesars, on the other hand, made the choice to pay, despite widespread guidance against meeting ransom demands.

“Paying a ransom to cybercriminals does not guarantee a full return of an organization’s systems and data, and only furthers the ransomware ecosystem,” according to Anne Cutler, cybersecurity evangelist with Keeper Security. “Although the $100 million in losses are costly on the surface, MGM’s decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government, and law enforcement.”

The outcome makes a surprising business case for telling cybercriminals to pound sand following a ransomware attack.

Do Deep Pockets Make Orgs Better or Worse Targets?

Are some organizations just too rich to ransomware?

“No…

Source…