Alleged Message from BlackCat/ALPHV on MGM Attack Released


September 15, 2023

World map

A message purported to be from the BlackCat/ALPHV ransomware gang was posted to GitHub. The note allegedly contains details about the attack against hotel and casino giant MGM Resorts, which reported outages due to a ransomware attack earlier this week.

The message suggests it offers details about the attack that are, at the very least, unflattering in regard to MGM’s incident response playbook, as well as casting doubt on attribution claims made in the media:

The full message can be found here:

CybersecurityHub posted a nice timeline summary of what we (think we) know about the attack thus far:

  • September 7: A social engineering attack is launched against the IT support vendor employed by Caesar’s Entertainment by hacking gang Scattered Spider. The hotelier pays around half of the $30 million ransom to the hackers. This gang is later linked to the MGM Resorts cyber attack.
  • September 11: MGM Resorts puts out a statement saying a “cyber security incident” has affected some of the company’s systems. An investigation into the cyber attack is launched and the relevant authorities contacted.
  • September 12: MGM Resorts makes a second statement reporting that all “resorts including dining, entertainment and gaming are still operational” and that its guests “continue to be able to access their hotel room and [its] Front Desk is ready to assist our guests as needed”.
  • September 12: Guests report a number of issues with MGM Resorts’ online booking system and casino. The company's main website is reported as being down.
  • September 13: VX Underground, host of “one of the largest collection of malware source code, samples, and papers on the internet”, makes a post on X saying the MGM cyber attack was the result of vishing. VX Underground also reports that ransomware gang, ALPHV, were responsible for the attack.
  • September 13: Sources close to the cyber attack say that the hacking group, Scattered Spider, are responsible for the hack.
  • September 13: Financial services company Moody’s says the cyber attack may negatively impact MGM’S credit. The company also notes that the cyber security incident highlights “key risks” in MGM’s reliance on technology.

Whether or not the the note is authentic is unknown at this time, but either way it makes a good point on attribution. Attribution is hard, as are DFIR investigations, yet we collectively still insist on having all the details about an attack of this size and complexity immediately despite knowing all to well that's not how this works, and it only leads to more FUD and disinformation being spread.

We all need to remember that the news cycle moves much faster than DFIR investigations. The answers everyone wants now likely won't come for weeks. The media should already know this, yet it does not stop them from getting over their skis by attempting to report on attribution and root causality when there is little to no chance investigators could know details like that at this stage.

That's also the big problem with the SEC's new "four day" rule for reporting "material events" at publicly traded companies - the notification comes long before the details, then the wrong info gets all the coverage and the media fanfare dies down before the real facts get determined. But by then the media has moved on to the next shiny thing, and this misinformation ends up being repeated ad nauseum in perpetuity.

Let's all take a big, deep, collective breath and wait for the investigators to complete their work. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.