The second-most expensive ransomware attack in history?

[winnielinnie]

This is crazy. Caesars Entertainment paid $15 million to settle a ransomware attack this past week. (MGM Resorts was also a victim soon after, but they are resisting the hackers' demands, as it is still an ongoing situation for them.)


How did the hackers do it? Good old fashioned social engineering.

The hackers who targeted the company employed a social engineering scheme, posing as an employee and contacting the company’s IT help desk to change a password, according to the WSJ report.

The preferred tactic for both ransom gangs is to use social engineering to gain access into the companies’ IT systems — and they are extremely good at it, say cybersecurity experts. ALPHV reportedly bragged that it took 10 minutes to infiltrate MGM’s system after identifying an MGM tech employee on LinkedIn and then calling the company’s support desk. Scattered Spider gained entry to Caesars’ system by deceiving an employee at a third-party vendor.

As far as MGM's situation, they found themselves locked in a standoff stalemate with the hackers when they did not comply with their initial payout offer:

“After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident,” - BlackCat/ALPHV.

Most of their services and operations are back online, but as of today (Sept. 18, Monday) they are still hemorrhaging financially:

MGM Resorts reportedly did not pay the ransom, and experts estimate that the attack could cost the company more than $8 million per day in lost revenue.

My goodness...


EDIT 1: I had based it on outdated pre-2021 data, in which $5 million was the highest payout. Turns out, the record is held by CNA Financial of a $40 million payout. Looks like Caesars could be a strong second.

EDIT 2: It's tricky to compare attacks, since some involve encrypting data, in which the decryption key is the "reward" for payment. Other attacks, a ransom is paid to get access back into the network.

 

[Davvo]

They evidently didn't use TrueNAS.

 

[winnielinnie]

They evidently didn't use TrueNAS.

I don't think that ZFS or TrueNAS could prevent someone from handing over access in a phone call.

"You're Jake from Tech Support? You sure do sound like him. Password? Sure! Here yah go, Jake! Thank goodness you're not some malicious hacker. That would be terrible for our company."

 

[Davvo]

I don't think that ZFS or TrueNAS could prevent someone from handing over access in a phone call.

"You're Jake from Tech Support? You sure do sound like him. Password? Sure! Here yah go, Jake! Thank goodness you're not some malicious hacker. That would be terrible for our company."

Do you mean that a psw granting ADMIN PRIVILEDGES was reset via phone call withouth proper identification?
If things are like this, the head of the one who tought such actions could be authorized into SOP needs to roll.

Anyway, offsite backups exists for (even) this reason.

EDIT: read the article. My gosh.

 

[winnielinnie]

Unrelated, but @Davvo if you could private message me your email address, date of birth, and your last known good password? I need to do a couple things to secure your account. Will only take a minute.

 

[Davvo]

Don't you want my phone number too?