Claiming to correct “inaccurate reporting” that implicated the various groups as well as MGM representatives, the threat group is an enigma …

On 12 Sept 2023, MGM Resorts suffered a ransomware attack that took multiple systems offline at some of its major locations in Las Vegas. The affected casino hotels had to process transactions manually.

What we now know is that the ransomware group ALPHV has confirmed responsibility, publishing a statement on their Dark Web website in a move that marks the first time the group has publicly disclosed their involvement in an attack.

Apparently, ALPHV wrote that its hackers had been “lurking on… Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps” when their activities were discovered. MGM subsequently shut down every one of their Okta Sync servers. Yet, on 11 Sept, the group was still able to launch ransomware attacks, targeting 100 ESXi hypervisors, after the group had failed to “get in touch” with MGM.

So far, the threat group has not confirmed the types of data that have been exfiltrated, while continuing “negotiations” with MGM.

A growing trend identified

ALPHV (also known as BlackCat) is a Ransomware-as-a-Service (RaaS) threat actor that emerged in late 2021. It is known for using the Rust programming language and has capabilities to attack Windows and Linux-based operation systems. ALPHV is marketed on cybercrime forums and it operates an affiliate program whose members have targeted organizations in a variety of industries, including healthcare, manufacturing, and government.

As one of the major RaaS threat groups, ALPHV has been responsible for almost 9% of all published victims in the past 12 months on Dark Web shame sites, preceded only by cl0p and Lockbit.

According to Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research, this incident is yet more proof of the growing trend of ransomware attackers focusing on data extortion and targeting of non-windows operating systems: “The RaaS model continues to be very successful, combining strong technological infrastructure for the attacks, with savvy and sophisticated affiliates that find the way to penetrate major corporations. We can only speculate on what their next move may be, but what we do know is that organized groups like ALPHV are not afraid to publish data if their demands are not met. Regardless of their decision, MGM should keep hotel guests and visitors informed on what information may have been obtained.”