Benel D. Lagua l September 29, 2023 l Business World
They say what happens in Las Vegas stays in Las Vegas. But the lessons of ransomware and cyberattacks need to be digested so that businesses learn to handle these issues moving forward. We must learn from Las Vegas.
On a family reunion trip in this city, we were welcomed by a cyberattack in MGM Resorts International, the largest casino company in this city. Computer systems at its properties across US had been shut down. Based on news reports, reservations and casino floors were affected with customers unable to make credit card transactions, obtain money from cash machines or enter hotel rooms.
As this piece is written 10 days from the attack, the estimate is MGM has been losing around $80 million, with more pain still piling up. It has yet to fully recover its IT systems, with continuing disruptions as multiple virtual machines were encrypted in the cyberattack.
So how was the attack executed? Allegedly, an organized group of hackers used SMS text phishing and phone calls to help desks to obtain the password resets or multifactor bypass codes. The latest trend in cyber hacking is through social engineering.
Social engineering is explained as a broad range of malicious activities accomplished through human interaction. Human behavior is one vulnerability threat actors exploit through psychological manipulation. After background information gathering on points of entry and weak protocols, the attacker seeks the victim’s trust. Deception leads to asking the victim to reveal sensitive information or grant access to critical resources.
Here are some common forms of social engineering attacks. Baiting uses a false premise to pique a victim’s greed or curiosity. Scareware bombards victims with false alarms and fictitious threats. Pretexting is obtaining information through cleverly crafted lies such as pretending to need sensitive information for a critical task. Phishing scams are e-mail and text campaigns that create urgency, curiosity, or fear. Spear phishing is more targeted where the attacker impersonates, for example, a trusted personality or provider of the organization.
Ransomware attacks happen where a malicious software blocks access to a computer system until a sum of money is paid. The operator issues a ransom demand to the victim with a threat to delete the victim’s encrypted file. Today’s ransomware attacks have evolved. Experts now discuss multi-extortion ransomware labeled up to quadruple extensions.
Single extortion involves the encryption described earlier. Double extortion steals data and threatens to leak it to the public or sell it in the black market. In addition, triple extortion adds another threat to critical operation such as service disruption. A quadruple extension adds an additional layer where the attacker contacts third-party associates with ransom demands or other underhanded tactics.
While MGM bears its losses, Caesars Entertainment, a Reno-based publicly traded company quietly reported being hit by a similar cyberattack, but its casino and online operations were not disrupted. It disclosed to the SEC that while it could not fully guarantee the safety of information about its customers, it remained confident there is no evidence of intruder breach.
An Associated Press report from Brent Callow, threat analyst for a cybersecurity firm, alluded to plausible reports that Caesar’s Entertainment was asked to pay $30 million for a promise to secure its data and may have paid $15 million. The disclosure indicates the attackers accessed the casino’s loyalty program database and agreed to not make it public in return for a ransom payment.
Most experts will say that paying a ransom will do more harm than good. But this episode showed that in the choice for the lesser pain, companies will make a business decision to pay out to protect the business itself, but more importantly to protect customers, employees, and other stakeholders. It is the proverbial damn if you do and damn if you don’t. But sometimes, a difficult decision is necessary based on a risk-based analysis of costs and benefits as a defensive measure provided some offense is initiated to prevent recurrence.
A nephew cybersecurity expert told this writer that in the ransomware business, the attacker must show proof of trustworthiness, that they will keep their word at least in the near term and will not play around with the data they have captured to be considered for ransom payment. Even in the dark side of the world, there must be honor by thieves for them to get the appropriate reward. Apparently, the identified hackers in this episode have a reputation of honoring their promises and at least one casino company chose the lesser evil.
To pay or not to pay is very tricky. The best cure is prevention and pro-active, negating the opportunity to give in to a ransomware attack. Companies must continuously study the evolving strategies of the bad guys and adapt preventive measures. Having a business contingency and continuity plan helps. Combine it with aggressive training on security matters. But when already facing the problem, a good cost-benefit model should be on hand.
*** Benel Dela Paz Lagua was previously EVP and chief development officer at the Development Bank of the Philippines. He is an active FINEX member and an advocate of risk-based lending for SMEs. Today, he is independent director in progressive banks and in some NGOs.