The Rising Threat of Ransomware: Is Anyone Truly Too Rich to Pay?

MGM Resorts’ Incident Response Strategy Pays Off

In September, MGM Resorts, a hospitality and casino giant, experienced a ransomware attack. Unlike Caesars Entertainment, which had previously been targeted by the same threat actors and chose to pay a negotiated ransom of $15 million, MGM decided not to engage or negotiate with the cybercriminals. The fallout from their respective approaches was quite different. While Caesars was able to quickly return to normal operations, MGM struggled to recover for over a week.

The Cost of the Breach

According to a revised Securities and Exchange Commission (SEC) disclosure form 8-K, MGM reported losses of approximately $100 million as a result of the breach. While this may seem like a significant amount at first glance, the company stated that the impact on its financials for the third quarter would be minimal and would likely have minimal spillover into the fourth quarter. This is in part due to MGM’s substantial revenue, having generated nearly $4 billion in the second quarter across its global operations and $2.1 billion from its Las Vegas properties alone.

“The Company does not expect that it will have a material effect on its financial condition and results of operations for the year,” said MGM in its SEC disclosure. The company is already looking ahead to November when Formula 1 racing is set to take place on the Vegas Strip, which is expected to significantly boost its fourth-quarter earnings.

Debating the Strategy: Paying vs Not Paying

MGM’s decision not to pay the ransom aligns with the recommendations of cybersecurity experts, government officials, and law enforcement. Anne Cutler, a cybersecurity evangelist with Keeper Security, emphasizes that paying a ransom does not guarantee a full return of an organization’s systems and data and only perpetuates the ransomware ecosystem.

The outcome of MGM’s refusal to pay makes a surprising case for businesses to take a firm stance and refuse to negotiate with cybercriminals following a ransomware attack. However, the question that arises is whether organizations with deep pockets make better or worse targets for ransomware attacks.

No Organization is Immune

According to Viakoo CEO Bud Broomhead, no company, regardless of its size or financial resources, is immune to being hacked. The crucial factor lies in how resilient the organization is in responding to a hack. Broomhead points out that MGM may have invested heavily in backup and recovery, learning from this attack to identify and strengthen their weaknesses so they can be even more resilient in the future.

While larger businesses like MGM may be better equipped to absorb the costs of remediation, smaller and midsize businesses could be severely impacted, even to the point of going out of business entirely, by a ransomware attack. Instead of gambling on whether to pay the ransom after an attack occurs, businesses are advised by Omri Weinberg, co-founder of DoControl, to continually invest in cybersecurity technology to keep up with evolving threat actors.

“No company will ever be fully bulletproof, and just like a casino, you need to bet on where to invest your resources and funds into your cybersecurity practice,” says Weinberg. The adversaries will always be more sophisticated with new technologies, making it a never-ending game.

The Importance of Resiliency in Incident Response

Broomhead commends MGM for its incident response strategy, including their decision not to pay the ransom. He hopes that their example will encourage more organizations to prioritize resiliency and business continuity in the face of cyberattacks.

“It’s never a question of if you will be hacked, just when you’ll be hacked and how prepared you are for it,” says Broomhead.

Investing in Cybersecurity

It is crucial for companies of all sizes, not just MGM Resorts, to prioritize cybersecurity and regularly invest in the necessary technologies and practices. Cybersecurity threats evolve rapidly, and organizations must stay vigilant and proactive to protect their systems, data, and reputation.

While no system can be entirely foolproof, businesses should focus on creating a robust cybersecurity framework that includes comprehensive backup and recovery strategies. These measures not only help prevent successful attacks but also enable organizations to recover quickly and efficiently in the event of a breach.

Furthermore, organizations should engage with cybersecurity experts and remain up to date on the latest threat intelligence, implementing security measures that align with industry best practices.

In conclusion, MGM Resorts’ decision not to pay the ransom following the ransomware attack showcases a business case for refusing to negotiate with cybercriminals. The company’s incident response strategy, coupled with their focus on resiliency and business continuity, highlights the importance of investing in cybersecurity and being prepared for inevitable attacks in today’s digital landscape.