In September, MGM Resorts was hit by a devastating ransomware attack, downing operations at some of its most iconic casino hotels in Las Vegas, including the Bellagio, Mandalay Bay and the Cosmopolitan.
Guests were forced to wait hours to check in after the cyberattack crippled electronic payments, slot machines, ATMs and paid parking systems. The hackers also stole a huge cache of customers' personal information from MGM's servers.
MGM declined to pay the attackers’ ransom demand to get its systems and data back. The amount of the ransom isn't yet known, though it’s likely less than the $100 million in profit the company said in a regulatory filing it will lose in the aftermath of the cyberattack.
While the MGM cyberattack dominated headlines for weeks, an earlier cyberattack on Caesars Entertainment barely made it into the news. That’s largely because the hotel and casino giant paid off the hackers to prevent the disclosure of stolen data in the hope of making the incident go away.
Caesars is by no means alone. According to a survey of hundreds of security leaders published by Splunk, some 83% of organizations admitted to paying hackers following a ransomware attack, and more than half paid at least $100,000, either through cyber insurance or a third-party.
Paying is easy, trust is impossible
Paying the attackers’ ransom — particularly for large organizations with plenty of cash — often seems like the easiest and cheapest option to get their networks operational and any stolen data recovered. But there's no guarantee that paying up will ensure the safe return of stolen data — or that all copies have been erased. After all, any data stolen by cybercriminals is compromised whether a ransom is paid or not, and you can't trust a criminal's word that they actually deleted your data.
Caesars' breach stayed largely out of the headlines, but the company's liability remained largely the same. Caesars was still forced to admit to regulators that it paid a ransom to the hackers who had stolen a copy of Caesars' loyalty program database, which includes driver licenses and Social Security numbers for a “significant number of members.”
Even then, Caesars admitted that it “cannot guarantee” that the hackers kept their end of the bargain and actually deleted the data they stole.
Sanctions can still sting
There’s also a technical hazard in paying a hacker's ransom. According to a study by Cybereason, 80% of ransomware victims who paid the ransom were hit by a subsequent ransomware attack, with 68% of compromised organizations saying that the second attack came less than a month later and that the hackers demanded a higher ransom.
That’s because when an organization pays a ransom, it solves an immediate problem, but also announces a willingness to pay potentially large sums of money to resolve a crisis.
“The reason the attacks keep coming is because there's money on the end for the adversary and they’re actually accomplishing what they're trying to accomplish,” MK Palmore, former FBI agent and director in Google Cloud's Office of the CISO, said at TechCrunch Disrupt. “If you were to cut off the reward for them at the end I think we would likely see less in the way of attacks,” said Palmore.
Paying a ransom demand is not illegal, though the FBI has long advised companies not to pay, since paying encourages ransomware gangs to continue to target new victims.
But organizations can still find themselves in legal (and criminal) hot water if found paying a ransomware gang sanctioned by the U.S. government. The U.S. Treasury warns that paying ransoms to sanctioned hacking and ransomware groups could constitute a violation of U.S. sanctions laws, which can lead to criminal prosecution.
While paying the ransom demand might seem like the easiest and cheapest option, it is likely to cost an organization more in the long run.