A matter of timing
MGM Resorts International CEO Bill Hornbuckle has confirmed that his company did not pay a ransom to hackers who brought MGM to its knees last month. Speaking at the Global Gaming Expo on Tuesday, Hornbuckle called it “corporate terrorism at its finest.”
“It took us (until day three) to figure out how to get out of it as we thought they would tell us what to do to get out of it,” Hornbuckle said, explaining the reasoning behind not paying a ransom to regain control of the company’s systems. “And so it was a decision of, no, we shouldn’t be paying a ransom. It’s going to take us as long to figure this out anyway, even if they gave us the encryption keys. And so let’s just move forward and put ourselves when we get through this in a much different and better place.”
As had been widely reported, the hackers gained access to MGM’s computer systems, at least in part, with a tactic called social engineering.
vx-underground, a group that curates what it says is the “largest collection of malware source code, samples, and papers on the internet,” explained it simply in a post on X: “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.”
Hornbuckle effectively confirmed this without giving away details, saying, “We have a call center that’s for ‘my machine is broken,’ and then we have a tech call center, which is for the technical crew. That’s the layer that got engineered. And so how that process works going forward needs to be rethought and it’s been done, has been and will continue to be. That’s the key lesson.”
It was a race to shut things down
Basically, it sounds like the hackers got enough information about an MGM employee to convince someone at the tech call center that they were really that employee. While we don’t know exactly what happened, it was probably something like, “Hey, my password isn’t working, can you tell me what it is?”
That’s oversimplifying, but it certainly seems like it was quick and easy. And once the hackers were in, they were able to use their resources to take control of companywide systems.
“We saw it early, so we had good indicators on the ground,” Hornbuckle detailed. “By day two, we knew they were there. We reacted quickly to protect data. And so you saw us shutting down systems by our own design. What ended up happening is criminals literally understood what was happening and they shut the balance of it down for us. We found ourselves in an environment where for the next four or five days, with 36,000 hotel rooms and some regional properties, we were completely in the dark. I mean, literally the telephones, the casino system, the hotel system, the key system, and I could go on and on and on, were not functioning.”
Hornbuckled added that the company does not believe that customers’ financial information, like saved credit cards or bank account numbers, were accessed.