The Vegas Strip Ransomware Attacks: How a Phone Call Took Down Two Casino Giants

In September 2023, the Las Vegas strip became the most visible battlefield in a ransomware campaign that would reshape how the security industry thinks about help desks, social engineering, and the economics of payment. Caesars Entertainment and MGM Resorts International, two hospitality giants with combined annual revenues in the tens of billions, were compromised within days of each other by the same threat actor group using nearly identical tactics. What made the attacks remarkable was not the sophistication of the malware. It was the sophistication of the persuasion.

The Timeline

The first victim was Caesars Entertainment, compromised in late August or early September 2023. The intrusion was discovered before the attackers had fully deployed ransomware across the environment. Caesars chose to pay a ransom reported at approximately fifteen million dollars in exchange for a promise that stolen data would not be leaked. The company disclosed the incident in an SEC filing, noting that its casino and hotel operations were not disrupted.

MGM Resorts was hit days later, on September 10, 2023. In this case, the attackers succeeded in deploying ransomware broadly, encrypting ESXi hypervisors, taking down reservation systems, disabling digital room keys, and forcing slot machines offline across the company's properties. MGM chose not to pay. The operational and financial cost was severe, with estimated losses exceeding one hundred million dollars.

The Threat Actors

The group responsible is known publicly as Scattered Spider, tracked by some threat intelligence organizations as UNC3944. Scattered Spider is not a traditional ransomware developer. It is a financially motivated intrusion group that specializes in social engineering, particularly against English-speaking targets in North America. Its members are adept at gathering open source intelligence, impersonating employees, and manipulating IT support staff into granting access.

Once Scattered Spider gains initial access, it has historically partnered with ransomware developers to monetize the intrusion. In the Vegas attacks, the payload was ALPHV ransomware, also known as BlackCat, a Rust-based ransomware-as-a-service platform that had already established itself as one of the most prolific strains in operation at the time.

This division of labor is increasingly common. One group breaches. Another builds and maintains the encryptor. A third launders payments. The result is a supply chain of criminal activity that mirrors legitimate enterprise specialization.

The Ten-Minute Phone Call

The initial access vector at MGM was social engineering via a phone call to the IT help desk. The attackers identified an MGM IT employee through LinkedIn. They then called the help desk, impersonated that employee, and convinced the support staff to reset the employee's password and bypass or reissue multifactor authentication credentials.

The entire interaction took approximately ten minutes.

This was not a technical exploit. It did not rely on a zero day vulnerability, a misconfigured cloud bucket, or a phishing link. It relied on the fact that help desks are staffed by people who are measured on ticket resolution speed and trained to be helpful. When a caller sounds plausible, knows enough organizational vocabulary to pass a casual verification check, and expresses appropriate urgency, the human instinct to assist often overrides the procedural instinct to verify.

Two Responses, Two Outcomes

Caesars and MGM made different choices, and both choices carried costs that are still debated.

Caesars paid. The rationale, as inferred from public statements and securities filings, was that payment was the fastest path to preventing the public release of customer data, including loyalty program records and driver's license information. The company minimized operational disruption but spent millions on a promise from criminals that is historically unreliable. There is no mechanism to enforce a ransomware group's agreement not to retain or resell stolen data.

MGM refused to pay. The rationale was reportedly a principle-driven decision reinforced by law enforcement guidance. The result was weeks of operational chaos. Guests could not check in using digital keys. Slot machines, which rely on networked accounting systems, had to be reset manually. The company's websites and mobile applications were taken offline. Earnings calls quantified the damage in the nine-figure range.

Neither choice was clearly correct in all dimensions. The industry continues to debate whether payment accelerates the problem by funding future attacks or whether refusal is a luxury only large corporations with deep balance sheets can afford.

The Technical Aftermath

Inside the MGM environment, the attackers moved laterally from the compromised help desk access to administrative accounts with broader privileges. They eventually gained access to VMware ESXi infrastructure and deployed ALPHV ransomware across virtualized servers. The encryption was comprehensive enough that MGM made the decision to shut down large portions of its network proactively to contain the blast radius.

The attackers also claimed to have exfiltrated data, which is standard behavior for double extortion ransomware operations. Even when encryption is the most visible impact, the quieter threat is the threat to publish stolen files if the victim does not pay.

What Organizations Should Learn

The Vegas attacks are case studies in three specific failures that recur across industries.

Help desk verification is a security control, not a customer service inconvenience. If a help desk can reset a password and reissue MFA credentials based on a phone call, then the help desk is an authentication boundary. It should be treated with the same rigor as any other privileged access path. Video verification, callback to a known corporate number, manager approval for high-risk requests, and hardware-backed authentication are all controls that would have changed the calculus of the MGM attack.

Identity hygiene is not abstract. The attackers found their target on LinkedIn. They knew job titles, reporting structures, and likely project assignments because the victim organization and its employees had published that information. This is not a recommendation to delete social media profiles. It is a recommendation to design identity and access management programs that do not assume confidentiality of employee names and roles.

The economics of ransomware are visible to the attackers. Casino operators hold vast quantities of customer data, operate on thin margins in competitive markets, and suffer immediate brand damage when operations falter. Attackers know this. They select targets based on liquidity, data sensitivity, and operational pressure. Security programs should be designed with the assumption that the organization is already on a target list, not that it might be someday.

A Persistent Lesson

More than two years later, the September 2023 Vegas attacks remain relevant because the tactics have not changed. Scattered Spider and groups with similar tradecraft continue to target help desks, abuse identity providers, and exploit the gap between security policy and human behavior. The tools are different. The psychology is the same.

The organizations that have made meaningful progress since 2023 are not the ones that bought more endpoint detection. They are the ones that redesigned their help desk workflows, tested their identity recovery procedures against realistic social engineering scenarios, and accepted that the weakest link in their security program was not a firewall rule but a well-meaning support technician answering the phone.

Attack Timeline

The following reconstruction draws on SEC filings, vendor incident reports, and public reporting. Some windows are approximate where the victims did not publish exact times.

Late August 2023. Scattered Spider operators begin reconnaissance against Caesars Entertainment, profiling IT staff and outsourced support vendors through LinkedIn and public breach data.

August 27, 2023 (approximate). Initial access at Caesars is obtained through a social engineering attack against an outsourced IT support vendor. Attackers pivot from vendor credentials into Caesars systems.

Early September 2023. Caesars detects the intrusion, engages external incident response, and opens negotiations with the threat actor. A payment reported at approximately fifteen million dollars is made in exchange for a deletion promise covering loyalty program data.

September 7, 2023. Caesars discloses material aspects of the incident internally and prepares regulatory filings.

September 10, 2023, approximately 11:00 AM Pacific. A Scattered Spider operator places a phone call to the MGM Resorts IT help desk, impersonating an employee identified through LinkedIn. Within roughly ten minutes the help desk resets the account password and reissues multifactor authentication enrollment.

September 10, 2023, afternoon. Attackers establish persistence, escalate privileges, and begin mapping Active Directory and VMware vCenter assets.

September 11, 2023, early morning. MGM detects abnormal activity and begins proactive shutdowns. Digital room keys, slot machine accounting systems, reservation platforms, and the corporate website are taken offline to contain spread.

September 11 through 12, 2023. ALPHV BlackCat ransomware is deployed against ESXi hypervisors across multiple properties. Guests report manual check in, paper receipts at restaurants, and cash only payouts at slot machines.

September 14, 2023. Caesars files an 8-K with the Securities and Exchange Commission acknowledging the incident and the data theft.

September 14, 2023. ALPHV publishes a statement on its leak site claiming responsibility for the MGM attack and disputing public reporting about the intrusion path.

Late September 2023. MGM systems are progressively restored. The company later quantifies the financial impact at approximately one hundred million dollars in the affected quarter, with additional remediation costs disclosed in subsequent filings.

October 5, 2023. MGM files an 8-K describing the operational and financial impact and confirming that personal information of prior guests was obtained by the threat actor.

A Help Desk Follow-Up Playbook

The single control that would have changed the MGM outcome is a hardened identity recovery workflow. Use the following as a starting template and adapt it to your environment.

Step one: classify the request. Password resets, MFA factor changes, and privileged account recovery are not the same risk tier as a printer driver question. Route them through a dedicated identity recovery queue with stricter handling rules.

Step two: verify out of band. Do not accept verification details offered by the caller. Place a callback to the phone number of record in the human resources system, not the number the caller provides. For high-privilege accounts, require a video call with a government identification check.

Step three: require manager attestation. For any account with privileged role assignments, require the requester's manager to approve the reset through a separate channel before the help desk acts. Track these approvals in the ticket.

Step four: enforce a cool down. New MFA factors enrolled through a recovery workflow should not be usable for sensitive operations for a defined waiting period. This window gives detection teams time to spot anomalous enrollment patterns before they are weaponized.

Step five: log and review. Every identity recovery action should generate a high signal log entry that is reviewed daily by an analyst. Pattern matching across multiple recoveries in a short window is one of the highest fidelity indicators of an active social engineering campaign.

Step six: rehearse. Run quarterly tabletop exercises in which a red team attempts to extract a credential reset from the help desk using realistic pretexts. Measure success rates and feed the results back into training.

Frequently Asked Questions

Was MGM breached because of a weak password? No. The account in question had multifactor authentication enabled. The attackers convinced the help desk to reissue the authentication factor on their behalf, which bypassed the control entirely.

Did Caesars get a better outcome by paying? In the short term, operations were not disrupted and the customer data was not published. In the longer term, paying does not guarantee deletion, funds future attacks against other organizations, and may attract follow on extortion attempts. The trade is real and not purely ethical.

Is Scattered Spider still active? Yes. The group has continued to target hospitality, insurance, retail, and technology companies through 2024 and 2025, often using the same help desk social engineering playbook with minor variations.

Would more endpoint detection software have stopped this? Probably not at the initial access stage. The attackers used a legitimate password reset. Endpoint detection becomes relevant only after the attackers begin running tools on internal systems, by which point they already hold valid credentials.

Is this only a problem for large enterprises? No. Mid market organizations are often more exposed because their help desks are smaller, more familiar with employees by voice, and less likely to enforce strict verification. Familiarity is a vulnerability when the caller is not who they claim to be.

Should we outsource our help desk? Outsourcing is not inherently riskier, but it shifts the verification problem to a vendor whose staff may have weaker context about your employees. Contracts should specify identity verification standards, audit rights, and incident notification timelines.

Key Takeaways

1. The help desk is an authentication boundary. Treat it with the same controls you apply to any privileged access path.
2. Multifactor authentication does not defend against attackers who can convince support staff to reissue factors. Recovery workflows need their own controls.
3. Payment is a business decision with no guaranteed outcome. Decide your policy in advance, in writing, with legal and law enforcement input.
4. Public employee directories, LinkedIn profiles, and breach data are reconnaissance assets for attackers. Design identity programs that do not depend on the secrecy of names and roles.
5. Practice the scenario. Tabletop exercises that include a social engineering call to the help desk will surface gaps that no policy review can find.

Sources and Citations

1. Caesars Entertainment, Form 8-K filed with the U.S. Securities and Exchange Commission, September 14, 2023.
2. MGM Resorts International, Form 8-K filed with the U.S. Securities and Exchange Commission, October 5, 2023.
3. Mandiant, threat intelligence reporting on UNC3944 and related social engineering tradecraft, 2023 and 2024 updates.
4. Microsoft Threat Intelligence, Octo Tempest profile describing the actor group also tracked as Scattered Spider.
5. CISA and FBI Joint Cybersecurity Advisory AA23-320A, Scattered Spider, November 16, 2023.
6. Reuters reporting on the Caesars and MGM incidents, September 2023.
7. Bloomberg coverage of MGM Resorts operational impact and financial disclosures, September and October 2023.
8. ALPHV BlackCat leak site statement regarding MGM Resorts, September 14, 2023, archived by multiple threat intelligence vendors.
9. MGM Resorts International, Form 10-Q for the quarter ended September 30, 2023, discussing the financial impact of the cyberattack.