A year after cyberattacks that temporarily crippled MGM Resorts International and prompted Caesars Entertainment to pay ransomware to avoid the same fate, cyber hackers haven’t slowed in their attempts to hit the casino gaming industry and operators still have a lot to learn.
G2E held a session this week on “Lessons Learned One Year Post MGM & Caesars’s Cyber Attacks” that looked back on the largest cyber events to hit the gaming industry.
In September 2023, MGM’s operations were interrupted for days after the company reportedly declined to pay the $30 million ransom requested by the hackers known as Scattered Spider. Caesars Entertainment paid $15 million after some customer data was stolen.
“I don’t think the money is being invested in IT and security in the gaming industry,” said cybersecurity expert Heath Renfrow, co-founder of Fenix24 and chief information security officer at Conversant Group. “I’m getting calls all the time. They’re understaffed, the money isn’t there, and they don’t truly understand the threat actor. I don’t think it’s a lesson learned.”
Renfrow said if companies don’t do their due diligence every day, they “will fail miserably” and struggle to get back online, their business-interruption costs will skyrocket, they’ll blow through insurance coverage and potentially lose the business.
“Ransomware attacks have a very high impact,” said Alexandra Bretschneider, vice president of cyber practice at JKJ, a risk-management and insurance brokerage. “Ransomware definitely scares us.”
Renfrow said attacks can be devastating for properties, especially on the regional level, because it pushes customers into other properties when there are shutdowns or other problems.
“MGM had great backups and were able to recover fairly quickly,” Renfrow said. “They were one of the few to have good efficient backups.”
Caesars made a financial decision to pay the ransom, because the threat actor was so persistent. “MGM wasn’t going to play that game, to their credit,” Renfrow said.
Bretschneider said paying a ransom is a business decision — it’s “cheaper to pay” and get their encryption keys and keep operating without any issues.
In his 27 years of experience, the No. 1 lesson Renfrow’s learned is that for companies have backups that are tested.
“U.S. Cyber Command came out this week and said insurers have stopped encouraging making ransomware payments,” Renfrow said.
Benjamin Wanger, an attorney with Baker & Hostetler who advises clients on ransomware payments, said one reason to pay out is if a company doesn’t have sufficient backups and the only way to restore the systems is to rebuild from the ground up and purchase an encryptor. The other reason is that hackers take data in addition to encrypting the system and threaten to release it on the dark web if ransom isn’t paid.
“The questions I get are, how can you feel safe negotiating with these criminals and why would you ever pay them?” Wanger said. “Ransomware is a business and this business model depends on reputation. If these threat actors get a reputation for not doing what they say they’re going to do, the whole model falls apart. In practice, these threat actors almost never take the money and run. They’re not anarchists looking to see Rome burn. They want money. They don’t care if they hurt you, but that’s not the goal.”
Wanger said they get law enforcement involved, but “they’re not incredibly helpful.” It’s a good optic to say to hackers that they’re involved and maybe law enforcement has intelligence, but most of the time these hackers are in Russia and unless they go on vacation in the Bahamas, there’s not much can be done.
“The one area where law enforcement is valuable is in ransom payments,” Wanger said. “They’re aren’t illegal, but it is illegal to pay an entity on a sanctions list. If you didn’t know the entity was on that list, it’s not a defense. But when we do decide to pay ransom, we talk to the FBI about the plan and say, here’s the Bitcoin address and information we have about the threat actor. We ask if they’re on the (sanctions list). When they say no, we’ll pay. If God forbid you find out down the road the threat actor was on the list, that’s a mitigation factor.”
The other positive of involving law enforcement, according to Wanger, is that the Secret Service is very good at tracking the money.
As for other concerns, hackers aren’t interested in data like Social Security numbers and it’s rare to see identity theft related to attacks, Wanger said. “The business model is extortion and not identity theft.”
Bretschneider said hackers will use data that they’ve stolen, however, to call customers and let them know if the company isn’t paying ransom.
“That hurts their reputation,” Bretschneider said of companies who were attacked. “The hackers get their money however they can. They want their large payday and to move on to the next one.”
Wanger urged that operators, when they experience one of these incidents, not to jump the gun and notify customers of a data hack of their personnel information unless an investigation shows something was taken.
Insurance covers incident response, legal defense, ransomware, and business interruption, Bretschneider said. Renfrow added that companies don’t have enough insurance coverage.
“Check if you have insurance. Check to see if your backups are separated and do a test exercise,” Bretschneider said in a last piece of advice.