MGM ESXi servers encrypted by ransomware attack: BlackCat group held responsible

MGM's ESXi servers were reportedly encrypted in a ransomware attack, according to reliable sources. The BlackCat Group, also known as APLHV, is believed to be responsible for this attack which disrupted MGM Resorts' operations, forcing the company to shut down its IT systems.

Ransomware executed and MGM data stolen

Research by cybersecurity experts reveals that cybercriminals affiliated with the ALPHV ransomware group, known as BlackCat, allegedly breached MGM through a social engineering attack. Although it has not been confirmed, the administrator of BlackCat/ALPHV revealed that one of their "adverts" (affiliates) carried out the attack on MGM, but denied that it was the same actor who hacked Western Digital last March.

Scattered Spider: the group behind the attacks

Scattered Spider is a cybercriminal group suspected of using a wide range of social engineering attacks to compromise corporate networks. These attacks include impersonating help desk staff to trick users into providing their credentials, SIM swap attacks to take control of a targeted mobile device's phone number, and phishing and MFA fatigue attacks to gain access to multi-factor authentication codes.

Scattered Spider's attack method

Once threat actors have compromised a network, they have been shown to use Bring Your Own Vulnerable Driver attacks to gain elevated access to a compromised device. This access is then used to spread laterally across the network, steal data, and ultimately gain access to administration credentials. Recently, they have started carrying out ransomware attacks using the BlackCat/ALPHV ransomware to encrypt devices. The ransomware component is a new tactic for the group, which usually engages in extortion by demanding millions in ransoms to not disclose data or to receive a decryptor.