Feature The same cybercrime crew broke into two high-profile Las Vegas casino networks over the summer, infected both with ransomware, and stole data belonging to tens of thousands of customers from the mega-resort chains.
Despite the similar characters and plots, these two stories have disparate endings - and seem to suggest two very different takeaways to corporations confronted with extortionists' demands and the question of paying or not paying a ransom.
The first, Caesar Entertainment, owns more than 50 resorts and casinos in Las Vegas and 18 other US states, disclosed the intrusion in an 8-K form submitted to the SEC on September 7.
These steps are widely assumed to include paying a ransom - which was reportedly negotiated down to $15 million after an initial demand for $30 million.
Caesars did not respond to The Register's inquiries for this or previous stories about the ransomware infection.
From the outside, at least, it appears that Caesars suffered minimal pain and business disruption primarily because it decided to pay the ransom.
When looking at what ransomware payment end up funding, with all other things being equal, we'd assume most organizations would choose to not give in to extortion demands.
When looking at both casinos' outcomes, it appears as if the clear, less painful choice is to pay the ransom.
All of these also likely went into the casino exec's decision, said Megan Stifel, chief strategy officer for the Institute for Security and Technology and the executive director of the IST's Ransomware Task Force.
This is because it draws attention away from the two big issues that facilitate ransomware - and cybercrime in general, Stifel added.
There are a number of factors that play into a company's decision to pay or not pay a ransom, according to incident responders.
MGM Resorts attackers hit personal data jackpot, but house lost $100M Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data Look out, Scattered Spider.
FBI pumps 'significant' resources into snaring data-theft crew US officials close to persuading allies to not pay off ransomware crooks.
If this includes health-care records, or data belonging to or about minors, they may be more inclined to pay the demand rather than have this information leaked, Kimberly Goody, head of cyber crime analysis at Mandiant, told The Register.
It also depends on the sector, because sometimes a ransomware infection can become a life-or-death situation.
Goody also noted the 2021 Colonial Pipeline attack and fuel shortage that ensued, as well as the oil company CEO's very public decision to pay the crooks.
Government sanctions are another outside factor likely to influence an organization's decision.
In addition to the ethical problems of paying criminals, and thus funding future cyberattacks on more victims, paying the extortionists may be illegal.
One cyber-crime crew that Mandiant tracks as UNC2165, which has ties to Evil Corp, began switching up the ransomware it deployed after the US sanctioned Evil Corp in 2019 over its development and use of Dridex malware.
These types of sanctions, and other coordinated efforts between governments that increase the cost of criminals doing business are what's needed to disrupt the ransomware ecosystem, according to IST's Stifel.
This Cyber News was published on go.theregister.com. Publication date: Thu, 28 Dec 2023 17:43:05 +0000