Ransomware disrupts hospitality, healthcare in September

While the number of reported ransomware attacks dipped in September, substantial fallout continued for two Las Vegas hotspots.

MGM Resorts and Caesars Entertainment were two of several victims that disclosed ransomware attacks last month. TechTarget Editorial's 2023 ransomware database, which consists of publicly confirmed or disclosed U.S. attacks, tracked 21 disclosures for September. That number represents a significant decrease from the 28 confirmed ransomware victims that were added to the database in August.

The drop aligns with threat intelligence from some cybersecurity vendors. For example, NCC Group's August "Cyber Threat Intelligence Report" detailed a decrease in the number of ransomware attacks over the last few months.

However, many September victims still experienced extended downtime and faced lofty ransom demands. The companies that garnered the most attention were MGM and Caesars, which were both initially breached by social engineering campaigns that leveraged vishing attacks. In addition, each casino was an Okta customer.

In August, the identity and access management vendor confirmed that four of its customers were compromised in a social engineering campaign that led attackers to gain highly privileged roles in customers' Okta tenants. Security vendors including Trellix and Mandiant attributed the campaign to Scattered Spider, a threat group known for its effective phishing techniques.

Okta observed the wave of attacks from July 29 through Aug. 19 and confirmed that Caesars was among the four victims. MGM was the fifth victim of the social engineering campaign against Okta customers, but was compromised in an attack that occurred after Aug. 19. Subsequently, attackers took advantage of the privileged access gained through compromised Okta super administrator accounts.

According to an 8-K filing by Caesars on Sept. 14, it suffered an attack that began around Sept. 7 and led to a data breach. Although the disclosure did not state ransomware was involved, Caesars did say it took steps to "ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." That same day, The Wall Street Journal reported that Caesars paid a $15 million ransom demand to attackers. The filing also confirmed that the attack did not disrupt Caesars' "physical properties and our online and mobile gaming applications."

On Sept. 12, MGM disclosed a cybersecurity issue that forced it to shut down certain systems and notify law enforcement. Prior to and after the disclosure, guests reported disruptions with the resort and casino amenities. Unlike the incident at Caesars, the attack hindered room key access, delayed check-ins, shut down slot machines and ATMs, and more.

MGM wasn't the only victim to experience substantial downtime in September. Hinds County in Mississippi also suffered significant disruptions following a ransomware attack that occurred overnight beginning on Sept. 6. Kenny Wayne Jones, Hinds County administrator, referred to the attack as "catastrophic for the county" in a report by ABC affiliate 16 WAPT on Sept. 11. The county held an emergency board meeting less than two weeks later. During the meeting, officials approved more than $600,000 for cyber-recovery efforts.

Like previous months, ransomware operators continued to target the healthcare sector. On Sept. 5, Michigan-based McLaren Healthcare was forced to shut down certain systems after suffering a cyber attack. Electronic health records and billing systems were affected, according to reports. The healthcare system that operates 13 hospitals did not confirm that ransomware was involved until the BlackCat/Alphv ransomware group mentioned a Michigan-based hospital victim on its public data leak site, which is used to pressure victims into paying. McLaren then confirmed that ransomware was involved in a statement to The Record on Sept. 29.

On Sept. 1, WWNYTV 7 News reported that an attack against Carthage Area Hospital and Claxton-Hepburn Medical Center on Aug. 31 forced the hospitals to divert emergency room patients out of precaution. At the time, Richard Duvall, CEO of both hospitals, told the media outlet that no ransom demand had been made. As of Sept. 7, patient appointments were still being rescheduled. Then, in another statement to WWNYTV on Sept. 15, Duvall confirmed that the New York-based hospitals did receive a ransom demand. The LockBit ransomware gang later claimed responsibility for the attack.

Arielle Waldman is a Boston-based reporter covering enterprise security news.