To Pay or Not to Play: An analysis of ransomware attacks on the two Las Vegas casinos

We’ve attempted to summarise the two recent (September 23) cyber-attacks that made the headlines in the context of cyber-risks, ethics, and the decision conundrum when dealing with major incidents.

Las Vegas casinos ransomware attack

Image courtesy Anna Shvets –

Bellagio casino ransomware attack

Photo by Simone Coltri

Cyberattack 1: MGM Resorts

MGM Resorts International is a global hospitality and entertainment company with a portfolio of 29 hotel and resort properties, including iconic brands like Bellagio, MGM Grand and Mandalay Bay. The company operates various resorts, casinos, and entertainment destinations. The estimated annual turnover is USD 15.38 billion.

  • Based on information from various news sources:
  • The cyberattack was detected on MGM Resorts International in September 2023
  • This led to significant disruptions of online and in-casino services, affecting the company’s operations and customer experience.
  • The financial impact of this attack was substantial, with a $100 million hit to the third-quarter results.
  • A further $10 million was spent on one-time expenses for risk remediation, legal fees, third-party advisory, and incident response measures.
  • The outage lasted for ten days.

The perpetrators

  • The hacking group “Scattered Spider” is suspected to be behind the attack using ALPHAV Ransomware as a Service.
  • Also known as Roasted 0ktapus, UNC3944 or Storm-0875
  • The group members are believed to be English-speaking, are aged between 17 and 24, and communicate through a Telegram channel.
  • Believed to be based in Europe and the USA
  • Scattered Spider specialises in social engineering attacks
  • Due to their fluency in English, they can convincingly carry out methods like smishing and SIM swapping
  • The hackers are adept with vishing, and they often exploit third-party vulnerabilities
Vegas casinos ransomware attack

The images above (courtesy provide a sense of the impact.

casino ransomware attack

The methodology

  • Scattered Spider researched MGM and found employees’ information on LinkedIn. By impersonating them on a call with the outsourced IT Helpdesk, they managed to reset the MFA for the account.
  • The attackers created persistence in MGM’s network and gained control over critical systems, including Okta and the Microsoft Azure cloud environment.
  • This allowed them to exfiltrate terabytes of data from MGM’s network.
  • They deployed their ransomware (ALPHV/BlackCat), severely disrupting MGM’s operations and services.

The response

  • MGM’s decision was not to pay the ransom.
  • The Okta sync servers were terminated, leading to the termination of the threat actors’ initial access.
  • As the hackers had persistent access to Azure, all services had to be shut down and rebuilt

Lessons learnt

  • The importance of minimising exposure of privileged accounts and improving MFA control.
  • Necessity of protecting Identity Management Services.
  • Enhanced Identity verification by the helpdesks and protection against social engineering.
  • Employee training and awareness to prevent similar attacks in the future.
  • Detection of anomalous behaviour. The attackers were in the system since August 23.
protection against ransomware attacks

Caesars Palace casino ransomware attack

Cyberattack 2: Caesars Entertainment

  • With a turnover of est. 3.5 billion USD and similar business interests, Caesars Entertainment, was hit by the ransomware attack (supposedly) by the same perpetrators.
  • The initial ransom demand is considered $30 Million, negotiated down to $15 Million.
  • There were no significant outages, and the attack did not gain substantial media attention compared to MGM coverage.
  • The company has said that although attackers have confirmed data deletion, they cannot guarantee it.


  • Despite proactive measures and investment in technology, MGM and Caesars both faced cyberattacks, demonstrating the sophistication and persistence of modern cyber threats.
  • Both companies now face class-action lawsuits for not adequately protecting their customers’ data, highlighting the importance of robust cybersecurity practices.
  • Dealing with ransomware threat actors presents significant challenges and considerations, including decisions on ransom payments vs recovery costs.
  • The decision to pay a ransom in a cyberattack involves considerations such as potential damage, recovery capabilities, risk of encouraging future attacks, and ethical concerns.
  • MGM Resorts chose not to pay, potentially leading to short-term operational disruption and financial loss, but avoiding risks associated with funding criminal activities or the unreliability of attackers.
  • Caesars Entertainment paid, enabling continued operations, but this doesn’t guarantee data recovery and may invite future attacks as the attackers would have possibly left the backdoors in their IT estate.
  • Both companies face significant recovery costs and must demonstrate that these attacks will not be repeated.
ransomware attacks support
What our clients think

“We began looking at how to get ISO 27001 certification and CSA Star Level 2. After an extensive search it became clear that while many companies stated they could deliver both, RightCue was the only business that met our requirements.

“The RightCue team were instrumental in the process – to be blunt, if there was no RightCue, we wouldn’t have been able to do this. Their knowledge of controls was outstanding, and they really understood our business.”


“We were keen to develop our IT security to the next level so we could expand our client base as well as giving existing clients further peace of mind. Working with RightCue has been a total pleasure. They are just lovely people and to us they are not only trusted advisors but they feel like part of our extended team.

"Working with RightCue has supported our growth as a business and given us the reassurance we need, knowing that our security and data protection is well developed and managed - that's thanks to RightCue.”


“In early 2021, the ATI established the FlyZero project, with ambitious targets and timeframes. RightCue were involved from the start, contributing ideas and sustainable solutions to keep the project data secure.

“RightCue are so supportive and helpful. They operate almost as a virtual CIO and worked with me on a long-term strategy for IT and security to ensure it remains fit for purpose as the business continues to grow.”


“Beyond the accreditations, RightCue have caused us to think harder. To develop a maturity for our cyber security – processes and ideas for the future, and to think beyond IT to the business implications. Would I work with RightCue again? Absolutely, without hesitation…’


“RightCue helped us to achieve our cyber security accreditations including Cyber Essentials and IASME. But it’s more than that - the protection and management of data is now very much at the centre of our business.

“The RightCue team are absolute stars. Nothing is too much trouble. if you need help with cyber security, you can’t go wrong with RightCue.”


"The team at Rightcue worked very closely with our internal team on our ISO27001 accreditation. They were extremely thorough and rigorous throughout the process, they acted professionally at all times and guided us through each step of the way to attain ISO27001. I would recommend Rightcue to help you achieve your security accreditations.”


"They don’t just do the job and leave. They are at the end of the phone and happy to advise and engage at any time if you need them. If you’re considering Cyber Essentials accreditation, I’d definitely recommend RightCue.”


"Whilst going for a computer security accreditation is never easy, the team at RightCue made it as painless as possible. They were clearly very knowledgeable and as helpful as they could be, given their role as a certification body…”


“There is no doubt working with RightCue saved me a hell of a lot of time. I didn’t have to spend ages researching solutions. I would say RightCue are a very dependable resource, and are reassuringly competent. A good choice if you’re looking to acquire security accreditations…’


“We have been hugely impressed with the team at RightCue. They are very approachable and incredibly knowledgeable...Achieving those accreditations was so much easier, by working with an experienced and accomplished team of professionals, such as RightCue…’


“Having confidence in recommending them to our clients has allowed us to concentrate on playing to our strengths.

All of the RightCue team are very helpful and very willing to go the extra mile. They are very committed to delivering a good service, and that’s why we are always happy to refer them.”


Get in touch with us

RightCue Assurance helps clients develop effective business resilience against cyber risks through pragmatic solutions. Contact us if you need advice on protection against ransomware attacks and cyber risks.

+44 (0)1256 260 780