MGM Resorts — Scattered Spider ransomware

What happened

On 11 September 2023, Scattered Spider — a loosely organised, predominantly English-speaking group that operates as an affiliate of the ALPHV/BlackCat ransomware-as-a-service platform — deployed ransomware across MGM Resorts International’s corporate and operational infrastructure. The encryption hit VMware ESXi hypervisors underpinning MGM’s data centres, taking down the systems that hotel-room key cards, slot machines, restaurant point-of-sale terminals, and online gambling platforms all depended on.

MGM refused to pay the ransom demand. The operational disruption lasted ten days across the company’s Las Vegas Strip properties — including the Bellagio, Aria, Vdara, MGM Grand, Mandalay Bay, and the Park MGM — as well as MGM properties in Maryland, Massachusetts, Ohio, and Michigan. In its subsequent SEC 8-K filing MGM estimated the attack cost the company approximately $100 million in EBITDA impact, with the majority concentrated in the Las Vegas operations. MGM also disclosed that personal data belonging to customers who had interacted with the company before March 2019 was exfiltrated, including names, contact information, dates of birth, and Social Security numbers for a subset of guests.

Scattered Spider followed their standard playbook of public Telegram posts and extortion theatre, claiming to have exfiltrated large volumes of data and threatening further releases. MGM did not pay. Several alleged members of Scattered Spider were indicted by the US Department of Justice in November 2024, including individuals connected to the MGM and Caesars operations.

How it worked

The initial access vector was a social-engineering call to MGM’s IT service desk. Attackers identified a senior MGM IT administrator on LinkedIn — a search that took, by one account, approximately ten minutes — then called the MGM helpdesk posing as that individual. The caller claimed to have lost access to their phone and asked for their multi-factor authentication to be reset. The helpdesk agent complied. No out-of-band identity verification was performed.

That single helpdesk interaction gave the attackers authenticated access to an account with elevated Okta privileges. Okta is the identity platform MGM used to govern access across its enterprise applications. With admin-level Okta access, Scattered Spider could create new authentication sessions, grant themselves elevated roles in downstream applications, and move laterally across the environment without raising immediate alerts, because they were operating as a legitimate, MFA-verified administrator.

From the Okta foothold, the attackers escalated to domain-administrator privileges across MGM’s Active Directory environment. Domain admin access provides unrestricted reach across a Windows-based enterprise network — every server, every shared file system, every management interface. Scattered Spider moved through the environment, identified the VMware vSphere infrastructure that hosted MGM’s virtualised server estate, and deployed ALPHV ransomware targeting the ESXi hypervisors directly. Encrypting at the hypervisor layer is a particularly effective technique because it simultaneously locks every virtual machine running on the affected hosts, achieving maximum operational impact without needing to touch individual servers one by one.

Scattered Spider’s approach combines a human-first entry with a technically competent escalation path. The group’s membership skews young and English-speaking, which makes social-engineering calls to English-language helpdesks more credible and easier to execute than equivalents attempted by non-native speakers. The group recruits specialists — for vishing, for technical escalation, for ransomware deployment — and coordinates through Telegram, Discord, and Telegram-adjacent group chats.

Timeline

• Pre-11 September 2023 — Attackers identify an MGM IT administrator on LinkedIn and prepare the vishing pretext.
• 11 September 2023 — Scattered Spider calls MGM’s IT helpdesk. MFA reset on a privileged Okta account is approved. Lateral movement begins within hours; domain-admin privileges obtained.
• 11–12 September 2023 — ALPHV ransomware deployed to VMware ESXi hosts. Slot machines, hotel key systems, POS terminals and online gambling platforms go offline. MGM initiates incident response.
• 13 September 2023 — MGM files an 8-K with the SEC disclosing the “cybersecurity issue”. Scattered Spider posts on Telegram claiming responsibility and threatening data publication.
• 11–20 September 2023 — Ten days of operational disruption across MGM’s Las Vegas Strip and regional properties.
• Late September 2023 — MGM confirms that customer personal data including Social Security numbers was exfiltrated.
• October 2023 — MGM’s Q3 earnings call attributes approximately $100 million EBITDA impact to the incident.
• November 2024 — US Department of Justice indicts five individuals alleged to be Scattered Spider members, including those connected to the MGM and Caesars operations.

What defenders should learn

The single most important lesson from MGM is that helpdesk identity verification is a security control that deserves the same rigour as firewall rules or patch management. The initial foothold here cost the attackers a LinkedIn search and a phone call. The helpdesk agent was not at fault in any meaningful sense — they followed the process they had been given, which did not require out-of-band verification of the caller’s identity. The process was the failure.

Robust helpdesk identity verification for any MFA reset or privileged-account action should require multiple independent corroborating factors: a callback to a number pre-registered on the employee’s profile, a manager sign-off via a separate channel, or a challenge that the employee would be able to answer from information not visible on their public social media. Any request that cannot clear that bar should default to a formal identity-verification workflow rather than a best-effort judgement call by an under-resourced service-desk agent.

The Okta admin foothold illustrates why identity provider administration requires especially tight access control. An Okta admin account is not just a privileged account inside one application — it is a master key to every application the identity provider governs. The attack surface of an Okta administrator is the entire enterprise. That access should be restricted to the smallest possible number of people, should require phishing-resistant MFA (hardware keys or passkeys, not SMS or app-push), and should generate alerts on any unusual activity — new session from an unrecognised device, privileged role assignment, configuration changes — that are reviewed in near-real-time.

ESXi targeting has become a standard ransomware technique. Defenders whose virtualised estate runs on ESXi should treat the vSphere management plane as a tier-zero asset: isolated on a dedicated management network, accessible only from hardened jump hosts, with all administrative sessions logged and monitored. Ransomware that reaches ESXi can encrypt every virtual machine on the affected hosts in minutes. Containment after that point is recovery, not defence.

Finally, the MGM incident, alongside Caesars, validated a broader trend that security teams had been tracking but that enterprise leadership had not always taken seriously: English-speaking social engineers are as dangerous as technically sophisticated nation-state actors, and often faster. The Scattered Spider TTPs do not require novel exploits. They require well-prepared scripts, a credible accent, and a helpdesk culture that has not been trained to treat any unsolicited credential request as suspicious by default.