MGM SEC 8K Filing Reveals Ransomware Attack Losses Exceed $100M


October 9, 2023

World map

In a revised SEC 8-K disclosure filing, MGM reports the company lost around $100 million following a highly publicized ransomware attack in early September alleged to have been carried out by the notorious BlackCat/ALPHV ransomware gang.

By contrast, Caesars Entertainment was hit by the same threat actors about a week prior and opted to pay a ransom of $15 million to quickly restore operations as MGM struggled with downed systems for more than a week.

"Paying a ransom to cybercriminals does not guarantee a full return of an organization's systems and data, and only furthers the ransomware ecosystem," security evangelist Anne Cutler told DarkReading.  

"Although the $100 million in losses are costly on the surface, MGM's decision not to pay the ransom followed the course of action recommended by cybersecurity experts, government, and law enforcement."

"No company is too big to hack; the key issue is a business too resilient to hack," Viakoo CEO Bud Broomhead says. "MGM may have invested heavily in backup and recovery, and may use this attack to learn where their weakness[es] are so next time they will be even more resilient to attack."

But Cutler also points out that for small- and midsize businesses, a ransomware attack "could force them out of business entirely."

Takeaway: Ransomware attacks that include data exfiltration have become increasingly prevalent. The exfiltration of sensitive data can lead to significant financial losses, damage to reputation, and loss of customer trust.  

This is why it's essential for organizations to understand the specific risk that ransomware poses to their operation and consider whether or not a ransom payment is in the best interest of stakeholders.

The recommendation from law enforcement and other experts is that organizations should never pay a ransom demand, which would significantly diminish the financial incentives for these attacks.  

In most circumstances that would be the logical approach, but it may not be the right approach for every organization.

For example, it may be within the risk parameters for an entertainment company like MGM to refuse a ransom demand even though downtime is costing the organization revenue, they can obviously afford it when doing $4 billion in revenue a quarter.  

But what about a hospital who urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is more complicated.

This is why experts are divided on whether organizations should pay ransomware demands. Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack. They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.

On the other hand, those who oppose paying the ransom argue that doing so only encourages cybercriminals to continue their attacks by reinforcing the financial incentives that drive ransomware attacks.  

They point to examples where paying the ransom did not guarantee that the victim's data was restored or cases where the data was corrupted during decryption. They also point out that most victims who paid a ransom demand were attacked again, often by the same threat actor who demands a higher ransom payment knowing the victim is likely to pay.

While paying the ransom may seem like a quick fix, it may not be the best solution for businesses and individuals. Paying the ransom only supports the criminal activities of cybercriminals, leading to an increase in ransomware attacks.  

Additionally, paying the ransom does not guarantee that the victim's data will be restored. There have been instances where victims have paid the ransom, but the cybercriminals did not provide the decryption key or provided a faulty one, leaving the victim without their data and their money.

Also, even if the victim's data is restored, paying the ransom may result in further attacks. Cybercriminals may see the victim as an easy target and continue to target them with future attacks.

Finally, paying the ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, victims should focus on implementing preventative measures to protect their data from future attacks. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).