The increase in ransomware attacks on casino companies, particularly tribal properties, continues to keep IT teams and leadership up at night.
The problem isn’t going away, according to steering committee members of the Tribal-ISAC (Tribal Information Sharing and Analysis Center) as part of TribalHub, a community of tribal leaders coming together to stay current with technology trends.
Cyberattacks were a big topic this past week in Las Vegas at the TribalNet Conference & Tradeshow. The conference hosted seven sessions on what Native American tribes and their enterprises can do to prevent and mitigate them; there was also a three-hour workshop on the final day of the conference on Thursday.
Steering-committee members sat down with CDC Gaming to discuss the ongoing problem, with an upswing of attacks on tribes since the pandemic, which disrupted operations, closed properties, and even led to ransomware payments.
The problem gained national attention a year ago when MGM Resorts International was upended in Las Vegas and across the country by a cyberattack.
In 2023, attacks against tribes were up about 60%. According to Adam Morrison, chief information officer for the Mississippi Band of Choctaw Indians, that could be an increase in reporting incidents that were kept quiet in the past.
In March, the Nisqually Red Wind Casino in Washington state was shut down temporarily after a cyberattack. In April, the Swinomish Casino and Lodge in Washington state announced it had resumed normal operations after a shutdown spurred by a cybersecurity incident. The casino alerted visitors to review their account statements and credit reports for any unusual activities.
With casino closures occurring at least once a quarter, it’s important to for tribes share what happened, identify the gaps, and prevent them in the future, according to Toni Pepper, CEO of Pepper Consulting.
“I definitely see an uptick in events happening in Indian Country. Having a space like Tribal-ISAC helps tribes to gain knowledge and share information on best practices,” said Robin Villareal, chief information officer with the Gila River Resorts & Casinos in Arizona.
Patrick Tinklenberg, vice president of IT at Sycuan Casino Resort in San Diego, said tribes are evolving and getting better, thanks to the dissemination of information on what to look for and fix.
“As we do that, we get better. We have to,” Tinklenberg said. “It’s not going to stop. Nothing is slowing down. I don’t believe there will ever be a year with less attacks than the year before. Now, artificial intelligence will speed up attacks and they’ll be more targeted with something that slips under the radar and causes more problems. The tools the bad guys are using are getting better and better, so we have to keep getting smarter and smarter to thwart them.”
Every tribe is vulnerable, but smaller tribes with smaller teams are at greater risk. Attackers know they don’t have the staff and resources to be as protected, said Adam Gruszcynski, IT director at the Potawatomi Casino Hotel in Milwaukee.
The amount of ransomware payments also keeps going up. Tribes get attacked, don’t have everything backed up and can’t restore their systems fast enough, so they’re more willing to pay the ransom, said Lee Edberg, cybersecurity manager with the Shakopee Mdewakanton Sioux Community.
“Everybody in the past ran independently. Legal told them not to share information, because they don’t know what the legal ramifications are going to be,” Edberg said. “Now you’re hearing about them, because they’re becoming more public as everybody deals with the same problem. We need to look at how to combat AI by using AI and companies need to figure it out.”
Nicholas Arico, a former FBI special agent and global cybersecurity specialist with Baker McKenzie’s North America Intellectual Property & Technology Law Group, spoke at the conference.
Arico explained that developers code the encryption software, while others perpetrate the attacks. They have guidebooks and playbooks so that today, anyone can jump into the ransomware game.
“Ransomware as a service has caused this type of criminal operation to take off,” Arico said. “Most organized-crime groups out of Russia. Ransomware payments hit over $1 billion in 2023 and they’re on the rise. Payments of more than $1 million are rising and payments below $1 million are decreasing. The threat actors are targeting larger organizations in order to get bigger payments.”
The threat actors are in the systems long before they initiate the ransomware event, Arico said. There’s even a growing problem of their paying employees several thousand dollars to click on phishing links to get them into the system. They move in and find the data as to where they can get the most money when they extort the business.
“The purpose is to extort you for the decryption keys,” Arico said. “Once they encrypt your environment, they extort you to pay for the encryption keys. If you have good backups, then they extort you about publishing your data on the internet or some dark forum.”
Hackers call customers and members of the board of directors to let them know what’s happening to put pressure on the operator to make payouts, Arico said. In one case, the attacker even filed a complaint with the SEC to say the operator didn’t comply with federal rules.