In early September, the news about a hack hitting the MGM and Caesars casino and hospitality chains dominated the industry headlines for several days. It appears that known threat actors carried out the attacks, and the attacks significantly impaired operations for several days. It has also been reported that MGM paid a multimillion-dollar ransom to try to unlock its network and resume operations.
Why It Matters
These attacks provide valuable lessons to large and small companies alike:
First: no one is impervious to attack. The best defense is multi-layered and includes a way to restore operations/data from backup and continuity resources.
Second: the FBI encourages victim businesses to work with law enforcement when they are attacked. The reality is that not all attacks are large enough to secure resources from law enforcement, however, which is even more reason to have a self-help solution planned well in advance.
Third: the FBI discourages paying ransoms, as it publicly said in this incident. Why? Several reasons: it can make you a potentially lucrative future "mark;" and increasingly, hackers collect a ransom and don't release the data back to the company. They may destroy it, or they may demand a higher ransom to prevent its publication on the dark web or other media.
Fourth: the hack itself isn't always the end point. Regarding the particular groups suspected of involvement in the MGM/Caesars attacks, the attached article makes the point that the bad guys “heavily rel[y] on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they’ve gained access to employee databases.” That is, after hanging around in your environment for a while, threat actors may try additional efforts to attack using details they find about your employees -- to see if that can lead them to additional victim companies.
The upshot? Keeping threat actors out is better than trying to get them out once they get in; but at the same time, protecting your business relies on both keeping them out and having a plan for what to do if they get in.