As we first reported in April, it's a crime that has been growing more costly and disruptive every year. Now cybersecurity researchers fear it's about to get worse, with the emergence of an audacious group of young criminal hackers from the U.S., U.K. and Canada the FBI calls Scattered Spider. More troubling, they have teamed up with Russia's most notorious ransomware gang.
Last September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts – costing the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas strip: MGM Grand, Aria, Mandalay Bay, New York-New York, the Bellagio.
Anthony Curtis is a Las Vegas fixture. He's so good at counting cards, he's been banned from card games here. He now publishes the "Las Vegas Advisor," a monthly newsletter on all things Vegas.
Anthony Curtis: Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect.
Across the Vegas strip… thousands of slot machines suddenly stopped paying out.
Anthony Curtis: So all of a sudden now people are goin', "How do I get my money? What's wrong?" And the people were sitting there waiting and couldn't get paid.
Bill Whitaker: Were they angry?
Anthony Curtis: They were getting angry, yeah. And this was just the tip of the iceberg.
Elevators were malfunctioning… parking gates froze… digital door keys wouldn't work. As computers went down, reservations locked up and lines backed up at the front desks.
Anthony Curtis: Anything that required technology was not working.
Bill Whitaker: Sounds like chaos.
Anthony Curtis: Nobody knew what to do and including the employees. The employees just had to, you know, beg forgiveness and patience.
Bill Hornbuckle (at October conference): Look, it's corporate terrorism at its finest.
The company declined our interview request, but at a conference a month after the hack, MGM's CEO admitted the disruptions were devastating.
Bill Hornbuckle (at October conference): For the next four or five days with 36,000 hotel rooms and some regional properties we were completely in the dark.
The hackers demanded $30 million to unlock MGM's data. The company refused. But they still paid a price – $100 million in lost revenue and millions more to rebuild their servers.
So how did the intruders get in? Through a technique of deception and manipulation called social engineering. First hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker, impersonating the employee, called the MGM Tech Help Desk and convinced them to reset his password.
With that, the hacker was inside MGM's computers and unleashed the destructive malware. Anthony Curtis says it was the cybercriminal's version of an Ocean's Eleven heist.
Anthony Curtis: They're doing it the old-fashioned way. I mean, they're doin' it the new way but with the old-fashioned goal. They wanna get the money.
Bill Whitaker: What do you make of that?
Anthony Curtis: I don't wanna be too glowing like I-- like I like these guys 'cause they're-- they're just crooks, right? But these hackers were able to turn the tables. The casinos have their-- they have their systems. They have their protections. They have their experts. They have their security. These guys are better.
Later, MGM's biggest competitor, Caesars, admitted it also suffered a social engineering attack around the same time, suspected by the same group. But Caesars paid a ransom, reportedly $15 million, and suffered no disruptions.
Bryan Vorndran: From an FBI perspective, our position is we recommend a ransom not be paid. But we understand it's a business decision during a time of crisis.
Bryan Vorndran is head of the FBI's Cyber Division. He told us ransomware attacks have grown increasingly brazen.
Bryan Vorndran: Any way you look at the numbers it's a problem for the global economy, and for the U.S. economy, and for the security of the United States. There's estimates that global losses exceed $1 billion U.S. per year.
Bill Whitaker: Have you made any arrests in the Las Vegas cases?
Bryan Vorndran: We're not gonna talk about specific cases or specific companies.
But he did point us toward the prime suspect.
Bryan Vorndran: When we talk about the actors behind some of the more recent ransomware attacks, the name that's generally raised is Scattered Spider. And that's a criminal group that we have a lot of attention on because of the havoc they're wreaking across the United States.
Scattered Spider is what the FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks – and dozens more. Their specialty is social engineering.
Allison Nixon: Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.
Allison Nixon is chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals. She says Scattered Spider is just one of many illicit hacking groups -- all part of a sprawling collection of online criminals calling themselves "the Community, "or "the Com."
Allison Nixon: The Com is a subculture. It is specifically an English-speaking youth subculture that has arisen in the past few years. It's very new, but it's surprisingly disruptive.
Members of the Com have hacked into companies like Microsoft, Nvidia, and Electronic Arts.
Bill Whitaker: How many people are involved?
Allison Nixon: Years ago, it was maybe a few hundred people. But since 2018 the population has exploded because of the money coming into these groups. And there's thousands of people involved at this point.
Bill Whitaker: How are they connected?
Allison Nixon: They connect over the internet. Social spaces where people hang out. Gaming servers. It's almost analogous to like maybe the back alley where the bad kids hang out but on the internet.