Verticals Targeted: Gambling, Hospitality, Recreation
Executive Summary
MGM Resorts International was the victim of a recent cyber attack that impacted several systems, including its website, reservations, and in-casino services such as ATMs, slot machines, and credit card machines. ALPHV has taken credit for the attack.
Key Takeaways
- MGM Resorts International was the victim of a recent cyber attack that impacted several systems, including its website, reservations, and in-casino services such as ATMs, slot machines, and credit card machines.
- The attack was perpetrated by Scattered Spider, which is noted to be a subgroup of ALPHV.
- The threat actors used social engineering tactics to compromise MGM Grand.
The Incident
MGM Resorts International was the victim of a recent cyber attack that impacted several systems, including its website, reservations, and in-casino services such as ATMs, slot machines, and credit card machines. The attack was perpetrated by Scattered Spider, which is noted to be a subgroup of ALPHV.
In response to the attack, MGM took the precaution of shutting down several of its systems to mitigate the incident. This resulted in MGM Grand being forced to use alternate, archaic business methods such as making reservations via telephone, taking credit card information using pen and paper, accepting cash-only for bars, and issuing paper vouchers.
VX-Underground was one of the first to report that ALPHV used social engineering tactics to compromise MGM Grand. VX-Underground also noted Caesars was hacked using the same technique. They derived this information from a U.S. Securities and Exchange Commission report.
Who is ALPHV?
ALPHV is a financially motivated threat actor group known for ransomware operations. Industry researchers have speculated the group’s members are likely based in the UK or Europe. The group is known for multiple ransomware variants with similar code, including ALPHV, BlackCat, Sphynx, and Noberus.
ALPHV is proficient in social engineering tactics and human-operated ransomware attacks. The group has been effective in marketing to its affiliates, and affiliates receive a generous share of ransom payments.
ALPHV is known to target multiple verticals including construction, engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, healthcare, and pharmaceuticals.
ALPHV/BlackCat ransomware as a service (RaaS), thought to be the first ransomware family written in Rust, was first observed in late 2021. It includes a highly customizable feature set allowing for attacks on a wide range of targets. The malware has evolved over time, with one of the more recent variants leveraging Impacket.
IOCs
PolySwarm has multiple samples of ALPHV.
E7060538ee4b48b0b975c8928c617f218703dab7aa7814ce97481596f2a78556
9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26
F7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083
3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1
F8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6
5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42
You can use the following CLI command to search for all ALPHV samples in our portal:
$ polyswarm link list -f ALPHV
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
