The AlphV ransomware gang has admitted it was behind this week’s attack on casino and hotel operator MGM Resorts, but is saying the company and not hackers were responsible for closing the IT environment.
However, it takes credit for eventually launching ransomware.
In a statement saying it wants to “set the record straight,” the gang says it’s not to blame for service outages such as employees not being able to log into the IT environment, slot machines that stopped working, slow electronic transfers of winnings and hotel guests locked out of their rooms because electronic key cards didn’t work.
Yes, it admits, the gang was able to get into MGM Resorts’ Okta identity and access management environment. But, the statement says, “MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning we had been lurking on their Okta Agent servers, sniffing out passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps.”
The group infiltrated MGM Resorts’ IT network on Friday, Sept. 9, the statement says. The company took essential elements of the network offline on Sunday after discovering the intrusion.
The gang’s statement also criticizes researchers at VX Underground for falsely alleging in a tweet that someone linked to the gang got into the MGM Resorts environment by convincing an IT support staffer that they were an employee.
“The rumours about teenagers from the U.S. and U.K. breaking into this organization are still just that — rumours. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it,” it said.
“We continue to have access to some of MGM’s infrastructure,” the gang’s statement adds. “If a deal is not reached, we shall carry out additional attacks.”
For some reason, the group is protective of its reputation, complaining that news outlets falsely reported that AlphV had claimed responsibility for the attack before the group actually announced it.
In an email, Brett Callow, a B.C.-based threat analyst at Emsisoft, said nothing in the gang’s statement struck him as implausible. “That’s not to say any or all of it is accurate, ” he added, simply that it’s not implausible.
“The unfortunate aspect to this is that a company that seems not to have paid a ransom — casino and hotel operator MGM Resorts — is receiving lots of press attention based on the claims of cybercriminals, while a company that may well have paid — casino and hotel operator Caesar’s Entertainment — is receiving far less. The levels of disruption are drastically different too. Moving forward, these factors may help the cybercriminals — all cybercriminals, not only AlphV — convince other victims that payment is the least painful option.”