Go Back

Analyzing MGM Resorts’ Response to the Scattered Spider Ransomware Attack


Brendon Rod

Chief Evangelist

The MGM Resorts Ransomware Attack by Scattered Spider

Las Vegas, Nevada – September 26, 2023 – MGM Resorts International, a global hospitality and entertainment company, recently found itself in the crosshairs of a malicious ransomware attack orchestrated by the notorious Scattered Spider cybercriminal group. This incident not only underscored the growing threat of cyberattacks but also raised questions about what MGM Resorts could have done differently to prevent such a security breach.

In an era where data security is paramount, MGM Resorts understands the gravity of the situation and is committed to learning from this unfortunate event to enhance its cybersecurity measures.

Here, we examine the key aspects of the Scattered Spider ransomware attack and what steps companies can take to help bolster their resiliency against this type of attack.

Understanding the Scattered Spider Attack

The Scattered Spider ransomware attack against MGM Resorts was a sophisticated operation that exploited vulnerabilities in the company’s network infrastructure. The attackers gained unauthorized access to sensitive data, encrypted it, and demanded a substantial ransom in exchange for its release.

MGM Resorts responded promptly by engaging cybersecurity experts, law enforcement agencies, and IT professionals to contain the breach and prevent the further spread of the ransomware.
The company also made efforts to minimize the impact on its guests and employees.

5 Best Practices for Preventing Ransomware Attacks

Preventing ransomware attacks is essential for safeguarding your organization’s data and operations.

Here are five best practices to help protect your systems from ransomware:

1. Regular Backups and Data Recovery Plans:

  • Implement a robust data backup and recovery strategy. Regularly back up all critical data, and ensure backups are isolated from the network to prevent encryption during an attack.
  • Test your data recovery process to ensure that you can quickly restore data if a ransomware attack occurs.

2. User Training and Awareness:

  • Train employees on recognizing phishing attempts and suspicious email attachments or links. Many ransomware attacks begin with social engineering tactics.
  • Encourage a culture of security awareness, where employees are vigilant and report any unusual activity.

3. Update and Patch Software:

  • Regularly update and patch operating systems, software, and applications. Outdated systems often have vulnerabilities that ransomware can exploit.
  • Implement a vulnerability management process to identify and address weaknesses in your IT environment.

4. Access Control and Least Privilege:

  • Enforce the principle of least privilege (PoLP). Ensure that users and systems have only the minimum level of access required to perform their tasks.
  • Regularly review and adjust user permissions to limit exposure to ransomware. This minimizes the potential impact of an attack.

5. Security Solutions and Defense-in-Depth:

  • Deploy a multi-layered security strategy, often referred to as defense-in-depth. This includes firewalls, intrusion detection systems, and endpoint protection software.
  • Use email filtering and gateway security to block malicious content and attachments.
  • Employ endpoint detection and response (EDR) solutions to monitor for suspicious behavior and respond to potential threats.
  • Use reliable antivirus and anti-malware software, and regularly update signature databases.

In addition to these best practices, it’s essential to have an incident response plan in place.

This plan should outline steps to take in case of a ransomware attack, including communication procedures, containment measures, and recovery efforts. Regularly update and test your incident response plan to ensure it is effective in mitigating the impact of an attack.

MGM Resorts’ Commitment to Cybersecurity

In the wake of the Scattered Spider ransomware attack, MGM Resorts is redoubling its efforts to bolster its cybersecurity defenses. The company is investing in cutting-edge technology, employee training, and comprehensive risk assessments to safeguard its guests, employees, and operations.

As the digital landscape continues to evolve, MGM Resorts remains vigilant and proactive in its pursuit of a secure and resilient cybersecurity infrastructure.

MGM Resorts International, a symbol of luxury and entertainment, recently found itself grappling with a cybersecurity crisis that sent shockwaves through the industry. The ransomware attack, attributed to the notorious ALPHV/BlackCat ransom gang, disrupted both the operations and digital infrastructure of this prestigious brand, causing severe financial losses. The hack is estimated to cost MGM Resorts $100 million. MGM reported that it allocated approximately $10 million for one-time expenditures associated with the cyberattack, primarily directed toward technology consulting services, legal charges, and fees for other external consultants.

Renowned establishments like the Aria, Bellagio, Luxor, MGM Grand, and Mandalay Bay saw their websites taken offline, and the fallout from this incident could be catastrophic.

As we examine this incident, it becomes clear that the lessons to be learned extend beyond the immediate impact of the attack. Rather than dwelling solely on prevention, we should focus on cyber resilience—how organizations can better respond and prepare for recovery in the face of relentless cyber threats.

Understanding the Art of Social Engineering

To appreciate how MGM Resorts’ response could have been different, we must first delve into how social engineering works. Social engineering is the manipulation of human psychology to gain access to confidential information or systems. Cybercriminals prey on human vulnerabilities, exploiting trust and emotions to trick individuals into divulging sensitive data or performing actions that compromise security.

The Role of Social Engineering in Ransomware Attacks

Social engineering has been a critical weapon in the arsenal of ransomware groups like Scattered Spider.
 In the case of MGM Resorts, understanding the tactics used sheds light on the significance of cyber resilience.

Scattered Spider likely utilized social engineering techniques to:

  1. Phishing: Cybercriminals send deceptive emails masquerading as legitimate entities. These emails often contain malicious attachments or links that, when clicked, grant attackers access to systems. 
  2. Vishing: Voice phishing, or vishing, involves impersonating trusted individuals over the phone to extract information. In MGM’s case, VX Underground reported that the MGM cyber attack was the result of vishing. This underscores the importance of strengthening telephonic security measures.
  3. Pretexting: Attackers create fabricated scenarios or false identities to manipulate individuals into disclosing sensitive information. 
  4. Baiting: Cybercriminals lure victims into downloading malicious files or clicking on compromised links by offering something enticing. Implementing robust email and web filtering solutions can help mitigate this risk.

Do Okta Users Need to Panic?

MGM Resorts’ cybersecurity incident highlights vulnerabilities in their Identity and Access Management (IAM) system, particularly their reliance on Okta. However, Okta users need not panic but should instead focus on enhancing their security measures. Okta remains a trusted IAM platform when used with robust security protocols.

Strengthening Okta Security for Cyber Resilience

For Okta users looking to bolster their cybersecurity stance, here are some key strategies:

  1. Multi-Factor Authentication (MFA): Enforce MFA for all users to add an extra layer of protection. Even if attackers acquire login credentials, MFA can prevent unauthorized access.
  2. Continuous Monitoring: Implement continuous monitoring of your IAM systems. Suspicious activities can be detected early, allowing for swift responses.
  3. Regular Updates and Patch Management: Keep your IAM system, including Okta, up to date with the latest security patches. Many breaches occur due to unpatched vulnerabilities.
  4. User Training: Educate employees about the risks of social engineering and phishing attacks. Regular training sessions can empower them to recognize and report suspicious activity.
  5. Incident Response Plan: Develop a robust incident response plan that includes steps for mitigating IAM-related threats. Being prepared can minimize the impact of an attack.
  6. Backup and Recovery: By implementing a robust backup and recovery strategy, you can reduce the risk of data loss and downtime in the event of a cyberattack or other incident.

By implementing these strategies, Okta users can strengthen their security stance and improve their cyber resilience. In addition to these strategies, Acsense can also help Okta users improve their cyber resilience by:

Acsense can help organizations implement and manage these strategies effectively. By using Acsense, Okta users can reduce their risk of being targeted by cyberattacks, minimize the impact of an attack if it occurs, and recover quickly from an attack.

The Direct Impact on MGM’s Infrastructure

The MGM Resorts cyber attack serves as a poignant reminder of the imperative nature of business continuity and disaster recovery preparedness. The vibrant atmospheres of iconic landmarks like Bellagio, Mandalay Bay, and the Cosmopolitan were transformed into ghostly stillness. Slot machines were incapacitated, websites crashed, and guests found themselves locked out due to malfunctioning room keys.

This incident underscores the critical importance of swift recovery in the face of a cyber crisis.
The longer critical systems remain down, the more financial damage an organization incurs.

Thus, while immediate breach responses are vital, a comprehensive cyber resilience strategy is indispensable.

MGM Ransomware Insider Insights

The cyber domain is often shrouded in whispers and insider revelations.

Notably, a user, @LasVegasLocally, privy to MGM insights, intimated the gravity of the situation, casting doubts on the company’s ability to meet payroll commitments. This revelation, shared by
Stefanie Schappert from Cyber News, paints a vivid picture of the extensive reach and consequences of such cyber attacks.

Concurrently, murmurs concerning luxury stalwart Caesar’s Palace surfaced, with suggestions of a whopping $30 million ransom payment to preclude the pitfalls MGM encountered.

These insider insights further underscore the severity of the situation and the exorbitant costs associated with cyber attacks in the hospitality industry.

Taking a Step Back: The Role of Social Engineering and Basics

A profound lesson drawn from both the MGM Resorts incident and the attack on Okta customers is the unmistakable role of social engineering in these breaches. Cybercriminals often exploit human vulnerabilities, underscoring the need to revert to foundational cybersecurity practices. Acsense emphasizes returning to the basics, which includes emphasizing employee training, safeguarding critical systems through data protection, and implementing disaster recovery solutions.

In the digital age, it’s not solely about the technology we use but the principles we uphold.

Cybersecurity is as much about people and processes as it is about technology.
Understanding and mitigating the human element in cyber threats is crucial.

Rethinking Cybersecurity Strategies for Resilience

The cyber onslaught on MGM Resorts exemplifies the metamorphosing landscape of cyber threats.

As the dynamics shift, global businesses must revisit and restructure their cybersecurity frameworks. Future defenses will pivot less around constructing insurmountable barriers and more on devising systems primed to endure adversities and emerge resilient.

Cybersecurity professionals and organizations alike must embrace this paradigm shift. Cyber threats are no longer isolated incidents but ongoing challenges that require continuous adaptation and innovation in defense strategies.

Understanding Cyber Resilience 

Cyber resilience is the ability of an organization to withstand and recover from a cyberattack.
It is the ability to anticipate, prepare for, respond to, and recover from cyber threats. Cyber resilience is essential for organizations of all sizes, as cyberattacks are becoming increasingly sophisticated and targeted.

How Acsense can Help Okta Users Improve Their Cyber Resilience

Acsense specializes in IAM Resilience, focusing on addressing critical challenges that organizations face, such as operational impact, financial consequences, and reputational risks.

Challenges We Address:

Operational Impact: Organizations often grapple with blocked access, data loss, downtime, and significant recovery costs, which can disrupt operations and lead to financial losses.

  • Financial Consequences: IAM failures can result in potential revenue loss, making it imperative to maintain uninterrupted operations.
  • Reputational Risks: An IAM failure can erode customer trust, leading to immediate and lasting reputational damage.

This may also expose organizations to legal actions and compliance fines.

How Acsense Helps:

Acsense’s IAM Resilience Platform is designed to meet the shared responsibility model, emphasizing data security, continuity, and compliance. We eliminate IAM as a single point of failure and actively protect against a spectrum of threats, including ransomware, insider risks, misconfigurations, and human errors.

We enhance your identity management infrastructure by offering features like continuous backups, one-click granular recovery, point-in-time recovery, and a fully air-gapped hot standby tenant. 


With our low Recovery Time Objective (RTO) and Recovery Point Objective (RPO) metrics, Acsense is the trusted choice for IT and security teams seeking rapid recovery and comprehensive protection.

Back up and Recover Okta data: 

Acsense can help organizations back up and recover their Okta data in the event of a cyberattack or other incident. Acsense provides a secure and reliable way to back up Okta data, and it also provides tools to help organizations recover their data quickly and efficiently.

By using Acsense, Okta users minimize the impact of an attack if it occurs, and recover quickly from an attack. Acsense can help Okta users strengthen their security posture and improve their cyber resilience by providing a comprehensive suite of IAM Resilience solutions that can help organizations protect and recover from ransomware attacks.


Acsense: Your Partner in IAM Resilience

Acsense offers a suite of cutting-edge IAM resilience solutions designed to protect your organization from ransomware attacks and human error.

With our Data Protection Services, you can confidently defend against cyber threats against your IAM systems and infrastructure, mitigate misconfigurations, and mitigate the impact of human errors. Don’t leave your IAM security to chance – rely on Ascense for comprehensive and proactive data protection for uninterrupted access.


Embracing Cyber Resilience

The MGM Resorts cyber attack serves as a significant wake-up call for industries everywhere. 


In the unpredictable arena of cyber threats, businesses can’t afford to be passive or naive. This MGM situation punctuates the message: Ensuring robust backup, especially for critical systems like IAM, isn’t a luxury—it’s a necessity. 


Cyber resilience is no longer a buzzword but a fundamental requirement. 


Schedule a demo with our experts to explore how Acsense’s IAM Resilience Platform can fortify your Okta system against threats and ensure business continuity.




Looking to stay in the loop on the latest IAM trends and updates?


Subscribe to the FiveNines IAM newsletter today and gain access to exclusive insights from industry leaders, groundbreaking companies, and global news outlets. Don’t miss out on the must-read monthly newsletter that delivers the juiciest edition yet of IAM resilience.


Subscribe on Linkedin now and stay ahead of the curve!

Scroll to Top
Skip to content