Twin cyberattacks on MGM Resorts and Caesars Entertainment have provided a singular view into what happens when two similar organizations, under similar attacks by the same threat actor, pursue contrasting incident response strategies.
In this instance, both were victims of a Scattered Spider /ALPHV cyberattack. Caesars quickly negotiated with the cyberattackers, and handed over a $15 million ransom payout, which allowed it to proceed with business in relatively short order. MGM meanwhile flatly refused to pay, and just announced that its operations have been recovered after 10+ days of casino and hotel operational downtime (tens of millions of dollars in lost revenue later).
While it’s tempting to make a judgment as to which approach is better, any direct comparison between the Caesars and MGM responses to the cyberattack is an oversimplification, experts say. For instance, Rob T. Lee, SANS Institute’s chief curriculum director and faculty lead, emphasizes that the core principle of incident response is trying to make the “least worst decision.” And this tends to be a complex decision that always has a positive and a negative (some would say brutal) set of outcomes.
He notes, “many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no ‘win’ in these situations, only decisions that can prevent it from worsening.”
Should You Pay the Ransom? Was MGM Right or Caesars? It’s Complicated
Whether or not to pay a ransom following a cyberattack is one of those no-win decisions incident responders are forced to make under intense pressure.
It’s well documented that paying a ransom does nothing to guarantee data security or system recovery. Worse yet, it encourages future attacks by creating a market for these cybercrimes. But business risk decisions don’t always turn on clear-cut choices of right vs. wrong, and expediency is always a consideration.
“Caesars’ more rapid recovery post-ransom might give the impression they made a better decision,” says Callie Guenther, senior manager of cyber threat research at Critical Start. “From a business continuity perspective, their decision to pay might seem effective.”
However, Joseph Carson, chief security scientist and advisory CISO at Delinea explains that there are other complexities at play. Companies who take a while to mull their options may decide that not paying makes more sense. In his experience, he says organizations only have about a four-day window to negotiate with ransomware threat actors before positions become hardened on both sides. After that, ransomware attackers tend to become frustrated, and enterprise security teams get dug into their position as well.
“There’s a sunken-cost bias,” security researcher Jake Williams added. “The further away from the incident they (cybersecurity response and recovery teams) get, the more entrenched they get in the recovery.”
Recovery costs are another consideration, according to Carson. If recovery is painful, but only costs a few million, that might be a better choice compared to a an eight-figure extortion payment, he adds.
What Each Response Signals About Business Priorities
Evaluating both MGM and Caesars overall incident response broadly, Guenther explains that Caesars’ reaction shows that keeping operations running was the priority, while the MGM response demonstrates that the organization is willing to endure short-term financial pain for long-term cybersecurity gains.
“MGM’s choice not to pay the ransom, despite financial losses, might stem from a broader perspective on the implications of ransom payments,” Guenther says. “The duration of their disruption might also reflect a comprehensive internal review and restoration process, ensuring all threats are fully mitigated.”
Caesars’ incident response, she adds, by comparison was “decisive.”
“However, paying a ransom, while providing immediate relief, carries long-term considerations,” Guenther adds. “The speed of their recovery post-payment suggests they had robust backup and restoration processes in place, but it also raises questions about their preventative measures leading up to the attack.”
Some IR Teams Just Get Lucky In Vegas
Experts widely acknowledge that both Caesars and MGM incident responses were capable under difficult circumstances and mitigated more widespread damage.
In terms of Caesars’ ransom payment, Andrew Barratt, vice president at Coalfire, points out what a fraction the $15 million extortion payment is in the larger scheme of the organization’s overall revenues.
“Caesars’ payout works out to be around a 0.1% hit on their year-prior revenue, and that probably wouldn’t even make their earnings call if it was another type of cost amortized over the period,” Barratt says.
He adds that MGM’s 10-day recovery time stacks up well against other organizations, in his experience.
“While it seems to have dragged on, I’ve seen incidents take upwards of a year to get fully resolved, and 10 days is not a terrible response for an organization with the complexity the MGM inevitably has,” Barratt adds.
Cybersecurity hygiene, system architecture, tools, and available talent pool aside, SANS Institute’s Lee points out incident recovery is ultimately about as predictable as a pull on a slot machine.
“Just because Caesars recovered ‘better’ might not have anything to do with the ransom payment,” Lee adds. “You cannot judge ‘success’ based on the outcome — they just might have been, using a Vegas term, luckier.”