UK Authorities Arrest Teen for 2023 MGM Ransomware Attack

Date:

July 22, 2024

World map

A 17-year-old from Walsall, England, has been arrested by the West Midlands Police Department on suspicion of orchestrating a ransomware attack that crippled MGM Resorts in Las Vegas last year.  

The teenager, whose identity remains undisclosed, faces charges of blackmail and violating the UK's Computer Misuse Act. Following his arrest, he was released on bail.

 

The investigation, conducted in collaboration with the UK’s National Crime Agency and the FBI, led to the discovery of several digital devices at his residence, which are now undergoing forensic examination.

The police confirmed that the suspect was part of a global cybercrime group, though they did not specify which one.  

The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts attack, which occurred on September 12, 2023.  

The breach reportedly involved a straightforward 10-minute phone call to a Help Desk employee, leveraging information sourced from LinkedIn. This group has also claimed a similar attack on Esteé Lauder.

MGM Resorts experienced a nine-day system shutdown, causing widespread disruption across its Las Vegas casinos.

Takeaway: A year after the attack, authorities may have found one of the people responsible for the attack on MGM, and it happens to be a teenage kid.

This is a good example of the fact that law enforcement actions against ransomware operators - while important and necessary – simply move too slowly to be an effective tool in the battle against the onslaught of ransomware attacks we see today.

Consider that within days of the attack on MGM, analysts had already informed authorities that the attack was conducted by a threat actor group dubbed Scattered Spider (aka UNC3944) that included hackers based in the US and UK, some as being just teenagers.

As we can see from the timeline of the attack, authorities had a clear idea of who the attackers might be within about a week of MGM being hit, yet it took another year of investigation to put the case together and make an arrest.  

And it will likely take years longer to try the case. Yes, investigations and prosecutions take a considerable amount of time, as they should if we want to assure due process.  

But it also means legal actions don’t necessarily provide the level of dis-incentivization needed to really help stem the tide of attacks, especially when we are talking tens of million in potential profits for the offenders.

The best way to remove the incentive for these attacks is to make them unprofitable.  

Banning ransom payments may be one avenue to consider, but it is controversial - and rightly so, given the host of other problems that a ransom ban would create for victim organizations.

It seems clear that the best way to dis-incentivize attackers is to make ransomware attacks much more difficult to carry out successfully.  

The MGM attack shows how easily a major corporation with a mature security program can be brought to its knees with relatively simple attack methodologies like phishing combined with as-a-service ransomware platforms that require little to no technical abilities to operate as an affiliate.

The best defense for ransomware attacks is to detect them earlier: at initial ingress, lateral movement, establishment of C2, or when the threat actors are trying to steal sensitive data, not after exfiltration and detonation of the ransomware payload.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.