Hackers launched an attack that hit MGM Resorts on Sunday morning, rendering doors to buildings unusable, and ATM machines inoperable. Elevators were also out of order, and customer had to wait hours to check into rooms.

Five days later, teams are still working diligently to resolve the cyber security issues. As revealed by malware research collective VX-Underground, a hacking group claimed responsibility for the attack, noting that it had been accomplished via social engineering. 

Attack details

According to a series of media reports, the ransomware gang known as ALPHV/BlackCat identified an MGM Resorts employee on LinkedIn, and then called the company’s IT help desk in order to obtain access to the victim’s systems.

“A company valued at 33,900,000,000 was defeated by a 10-minute conversation,” VX-Underground observed in a post to its X platform followers.

Twitter image of text: "A company valued at 33M was defeated by a 10 minute conversation"
Image courtesy of X.

Social engineering

These types of attacks are extremely easy for hackers to launch. In some cases, hackers may weaponize stolen employee credentials that have been purchased on the dark web.

Many foreign cyber hacking groups include native English speakers, who can serve as highly effective social engineers. After gaining access via a deceptive narrative, they cause IT outages via ransomware, malware or through other means.


One of the top ransomware threat groups, BlackCat was responsible for approximately 12% of ransomware attacks in 2022. In the recent past, it has previously claimed responsibility for attacks on Barts NHS Trust in London and cosmetics giant Estee Lauder.

Operating via the ransomware-as-a-service (RaaS) model, the group is known for collaboration with other ransomware groups, including Conti, LockBit and REvil.


Although MGM Resorts has not publicly disclosed the nature of the cyber incident, one clue indicating that it was a ransomware attack is the high visibility of the disruption – everything is in a state of non-operation.

If the hackers encrypted the systems, they may not only want a ransom payment, but they may have also taken data and threatened to release it.

  • Despite widespread knowledge of the technique, many organizations remain unprepared for double-extortion ransomware attacks (extortion + data exfiltration). The abilities to uncover whether or not data was exfiltrated, what that data contained and how to contend with a data loss are essential.
  • Organizations that maintain and test ransomware recovery plans almost always recover from attacks more quickly than their counterparts, as recovery simply turns into execution against a set of processes.
  • Ransomware attacks affect a new organization every 14 seconds, according to CISA. Be sure to check out this ransomware prevention checklist.

More insights

This isn’t the first time that MGM has suffered through a major cyber security incident. During the summer of 2019, hackers obtained data belonging to nearly 10 million customers via a “cloud server” operated by the company. In 2020, the hackers released individuals’ names, addresses, and passport numbers, publishing them on a hacking forum.

For more insights into the MGM Resorts story, click here. Check out CyberTalk.org’s 2023 guide to ransomware prevention here. Lastly, to receive more timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter