Ransomware Attacks on Online Casinos: What the MGM and Caesars Breaches Teach Us
In September 2023, two of the world's largest casino groups were hit by ransomware within weeks of each other. MGM Resorts refused to pay and suffered $100M in losses with 10 days of operational disruption. Caesars Entertainment paid approximately $15M ransom. Both were attacked using the same technique: a phone call to an IT helpdesk. No zero-day exploit. No sophisticated malware. Just a teenager asking the right questions to the wrong person.
MGM ransomware attack cost: $100M. The initial entry point: a phone call to the IT helpdesk.
The Scattered Spider Attack Method — And Why It Works
The group known as Scattered Spider (UNC3944) specialises in social engineering — specifically vishing (voice phishing). They research target employees on LinkedIn, then call the IT helpdesk impersonating that employee. Their goal: get an IT admin to reset MFA, grant remote access, or reveal credentials. Once inside, they move laterally through the network using legitimate tools (no malware that triggers antivirus), exfiltrate data, encrypt systems, and demand ransom. This technique defeats almost every traditional security control. Firewalls, antivirus, and intrusion detection systems are irrelevant when the attacker is authenticated with legitimate credentials. The failure point is human — and it's extremely hard to defend without the right combination of training and technical controls.
What Ransomware Does to an Online Casino Operation
For a land-based operation like MGM, ransomware encrypted hotel management, slot machine systems, restaurant POS, and reservations. For an online casino, the impact is different but equally severe:
- Player accounts locked — customers can't access funds or place bets
- Payment processing halted — withdrawals and deposits impossible
- Game servers encrypted — the platform goes dark
- Player data potentially exfiltrated before encryption — triggering GDPR notification obligations
- Back-office systems offline — support, compliance, and operations paralysed
- Brand reputation damage — players flee to competitors who are online
How BlackFog Stops Ransomware Before Encryption
BlackFog operates at the device level, preventing data from leaving the organisation even if ransomware has successfully infected a machine. This breaks the ransomware business model — attackers can't threaten to publish your data if it never left. BlackFog also blocks the command-and-control communications that ransomware uses to receive encryption keys, preventing the encryption phase from completing. 100% of BlackFog's customers have remained ransomware-free.
Frequently Asked Questions
Should we pay a ransomware demand?
Law enforcement agencies universally advise against payment — it funds criminal organisations, doesn't guarantee data recovery, and marks you as a paying target for future attacks. Caesars paid and was still subject to significant regulatory scrutiny.
How do you defend against social engineering attacks on IT helpdesks?
Strict identity verification procedures for all helpdesk requests (especially MFA resets), callback verification to known numbers, and mandatory escalation for any access changes. Employee security awareness training specific to vishing scenarios.
How quickly can ransomware encrypt a casino's systems?
Modern ransomware can encrypt thousands of files per second. A fully deployed attack can render an organisation's systems unusable within hours of the initial breach.
Is ransomware a GDPR breach?
Yes, if player or employee personal data is exfiltrated or inaccessible as a result of the attack. Ransomware incidents are one of the most common triggers for GDPR breach notifications.
See how BlackFog stops ransomware before it strikes
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.