MGM Resorts Hit by BlackCat Ransomware Affiliate: Data Stolen, Operations Halted

An affiliate associated with the BlackCat ransomware group, also known as APLHV, is responsible for the cyberattack that disrupted the operations of MGM Resorts, compelling the company to shut down its IT systems.

In an official statement, the BlackCat ransomware group asserted that they had infiltrated MGM’s infrastructure since Friday and subsequently encrypted more than 100 ESXi hypervisors after MGM took its internal infrastructure offline.

The group claims to have exfiltrated data from MGM’s network and asserts continued access to some of the company’s infrastructure. They have threatened to launch further attacks unless an agreement to pay a ransom is reached.

Reports first emerged that the ALPHV ransomware operation, associated with the BlackCat group, had breached MGM through a social engineering attack. While these reports could not be independently verified, an administrator from BlackCat confirmed to BleepingComputer that one of their affiliates was indeed responsible for the MGM attack. They clarified that this actor was not the same one responsible for hacking Western Digital in March.

This threat actor, known as Scattered Spider by cybersecurity companies such as Crowdstrike, 0ktapus by Group-IB, UNC3944 by Mandiant, and Scatter Swine by Okta, is reported to have breached the networks of other organizations, including Caesars Entertainment. Caesars Entertainment, in a recent filing with the U.S. Securities and Exchange Commission, hinted at paying a $30 million ransom to avoid the leakage of customer data stolen in the attack.

BlackCat claims that MGM Resorts has remained unresponsive through the provided communication channel, suggesting that the company is not willing to engage in ransom negotiations. The threat actors revealed that MGM disconnected all of its Okta Sync servers after learning of their presence on Okta Agent servers.

However, even after this action, the hackers maintained their presence on MGM’s network. They claim to still possess super administrator privileges in MGM’s Okta environment and Global Administrator permissions for the company’s Azure tenant.

With no response from MGM and after waiting a day, the attackers initiated the ransomware attack by targeting over 100 ESXi hypervisors on September 11th. The threat actors asserted that they do not currently know the extent of the data they have stolen from MGM but warned that they would extract pertinent information and release it unless an agreement is reached.

To exert further pressure on the company, BlackCat threatened to leverage their existing access to MGM’s infrastructure for additional attacks. BleepingComputer has not independently verified BlackCat’s claims, and MGM Resorts has not responded to inquiries.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link