Incident Summary : MGM Resorts Ransomware Attack

The MGM Resorts International, a prominent player in the global hospitality and entertainment industry, experienced a devastating ransomware attack, orchestrated by the cybercriminal group Scattered Spider. This incident not only disrupted their operations but also resulted in substantial financial losses, showcasing the critical need for robust cybersecurity measures in the face of sophisticated cyber threats.

Detailed Tactics, Techniques, and Procedures (TTPs)

  • Social Engineering and Credential Phishing (T1566): Scattered Spider leveraged social engineering to deceive users into surrendering their login credentials or OTP codes, thereby circumventing multi-factor authentication systems.
  • Legitimate Tool Misuse (T1219): The attackers exploited publicly available, legitimate remote access tools, adapting them for malicious purposes.
  • Malware Utilization:
    • AveMaria (S0670): Enabled remote system access.
    • Raccoon Stealer: Facilitated the theft of login credentials, browser history, and cookies (TA0006).
    • VIDAR Stealer: Employed for similar data theft purposes.
  • Living Off the Land Techniques (TA0010): The group used native tools and allowlisted applications to traverse victim networks discreetly.
  • File Encryption (T1486): Post-exfiltration, files were encrypted to maximize impact.
  • Execution, Persistence, and Privilege Escalation (TA0003): This involved registering MFA tokens, adding federated identity providers, and leveraging EDR tools for command execution.
  • Discovery and Lateral Movement (TA0007): The attackers performed extensive network discovery, specifically targeting SharePoint sites, VMware vCenter infrastructure, and credential storage documentation.

Comprehensive List of Indicators of Compromise (IOCs)

  • Domain Names Used by Scattered Spider:
    • victimname-sso[.]com
    • victimname-servicedesk[.]com
    • victimname-okta[.]com
  • Malware Deployed:
    • AveMaria/WarZone (S0670)
    • Raccoon Stealer (TA0006)
    • VIDAR Stealer
  • Other IOCs:
    • Usage of commercial remote access tools.
    • SIM swapping attacks.
    • Exploitation of multifactor authentication fatigue.
    • Configuring additional Identity Providers in the Okta tenant.
    • Control over Microsoft Azure cloud environments.
    • Deployment of BlackCat/ALPHV ransomware.

Impact Analysis

  • Operational Disruption: The attack led to significant operational challenges, including malfunctioning hotel room keys, reservation system failures, point-of-sale system issues, and casino game disruptions.
  • Financial Losses: MGM Resorts estimated the attack would cost them around $100 million, with additional one-time expenses of under $10 million.

Mitigation and Response Strategies

  • Robust Multi-Factor Authentication: Strengthening MFA systems to resist social engineering and credential phishing.
  • Regular Security Audits: Conducting comprehensive audits to identify and rectify potential vulnerabilities.
  • Employee Training: Enhancing employee awareness and training to identify and respond to phishing attempts.
  • Network Segmentation: Implementing network segmentation to limit the spread of ransomware.
  • Backup and Recovery Plans: Establishing robust backup and recovery plans to mitigate data loss and ensure business continuity.
  • Incident Response Planning: Developing and regularly updating incident response plans.


The MGM Resorts ransomware attack underscores the evolving sophistication of cybercriminal groups like Scattered Spider. Organizations must proactively bolster their cybersecurity posture through advanced threat detection, employee training, and robust incident response strategies to mitigate such threats effectively.

Further Reading