The latest cyber attack on MGM Resorts and Caesars Entertainment has taught a lesson from two similar organizations, under similar attacks by the same threat actor, to pursue contrasting incident response strategies.
Both were victims of a Scattered Spider /ALPHV cyberattack. Caesars took a root of quick negotiation and handed over a $15 million ransom payout, which allowed it to proceed with business in relatively short order. On the other side MGM, meanwhile, flatly refused to pay and just announced that its operations have been recovered after 10+ days of casino and hotel operational downtime
Whether or not to pay a ransom following a cyberattack is one of those no-win decisions incident responders are forced to make under intense pressure.
Paying a ransom does nothing to guarantee data security or system recovery. Worse yet, it encourages future attacks by creating a market for these cybercrimes. But business risk decisions don’t always turn on clear-cut choices of right vs. wrong, and expediency is always a consideration.
Caesars more rapid recovery post-ransom might give the impression they made a better decision. From a business continuity perspective, their decision to pay might seem effective.
Generally, companies who take a while to mull their options may decide that not paying makes more sense. Organizations only have about a shorter window to negotiate with ransomware threat actors before positions become hardened on both sides.
Recovery costs are another consideration, If recovery is painful but only costs a few million, that might be a better choice compared to an eight-figure extortion payment.
Evaluating both MGM and Caesars overall incident response broadly, Caesars’ reaction shows that keeping operations running was the priority, while the MGM response demonstrates that the organization is willing to endure short-term financial pain for long-term cybersecurity gains.
Experts widely acknowledge that both Caesars and MGM incident responses were capable under difficult circumstances and mitigated more widespread damage.