FBI develops tool to combat group responsible for MGM cyberattack
The FBI has developed a decryption tool that will help companies that are victims of cyberattacks from the group that hacked into MGM Resorts International’s computer systems in September.
The U.S. Justice Department on Tuesday announced that a coalition of U.S. and international law enforcement agencies have launched a disruption campaign against a hacker group known as ALPHV or BlackCat — the organization that took credit for disrupting operations at MGM for nine days. A splinter organization known as Scattered Spider was a part of that group.
Officials with MGM have not responded to Review-Journal inquiries about the campaign or if its technicians worked with the FBI.
According to the Justice Department, ALPHV/BlackCat has emerged as the second-most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world. Because of the global scale of the crimes, multiple foreign law enforcement agencies are conducting parallel investigations.
Caesars Entertainment Inc., which reportedly paid a ransom believed to be around $15 million, has not revealed details about its attackers, but MGM, which didn’t pay a ransom, explained how it addressed the attack by shutting down many of its systems to prevent further infiltration of its data.
MGM President and CEO Bill Hornbuckle, at October’s Global Gaming Expo in Las Vegas, called the attack “corporate terrorism at its finest.”
In an onstage interview with CNBC, Hornbuckle described how, when the company learned it was under attack, it shut down its own systems, meaning that 36,000 hotel rooms and some regional properties went offline.
“I mean, literally the telephones, the casino system, the hotel system, the key system, and I could go on and on and on, were not functioning,” Hornbuckle said at the time.
MGM estimated that the cyberattack resulted in $100 million damage to the company, but most of that would be covered by insurance.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa Monaco said in a release. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”
The FBI developed the decryption tool, which allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems. The FBI has worked with dozens of victims in the United States and internationally to implement the solution, saving multiple victims from ransom demands totaling an estimated $68 million.
As detailed in a search warrant unsealed Tuesday in the Southern District of Florida, the FBI also has gained visibility into the BlackCat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.
There was no indication whether any arrests are pending.
“The FBI continues to be unrelenting in bringing cybercriminals to justice and determined in its efforts to defeat and disrupt ransomware campaigns targeting critical infrastructure, the private sector, and beyond,” FBI Deputy Director Paul Abbate said in a release.
“Helping victims of crime is the FBI’s highest priority and is reflected here in the provision of tools to assist those victimized in decrypting compromised networks and systems,” he said. “The FBI will continue to aggressively pursue these criminal actors wherever they attempt to hide and ensure they are brought to justice and held accountable under the law.”
In mid-November, two cybersecurity company executives told Reuters that they felt the FBI was slow to respond to the MGM and Caesars incidents and failed to make any arrests because the bureau was undermanned and didn’t hold cybercrime as a high priority.
“I would love for somebody to explain it to me,” Michael Sentonas, president of CrowdStrike told Reuters. “For such a small group, they are absolutely causing havoc.”
Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.