Scattered Spider — a financially motivated group of young English-speaking hackers operating as a BlackCat/ALPHV affiliate — hit both MGM Resorts and Caesars Entertainment using social engineering and SIM swapping rather than zero-days. Caesars paid a $15 million ransom and recovered quickly; MGM refused, suffered 10 days of casino and hotel downtime, and was publicly recruiting Linux admins at $110/hour to rebuild its entire IT infrastructure from scratch.
Stories Covered
MGM vs. Caesars: Two Different Ransomware Responses, Two Very Different Outcomes
Both MGM Resorts and Caesars Entertainment were breached by the same threat actor group — Scattered Spider, also tracked as Roasted Octopus — operating as an affiliate of the BlackCat (ALPHV) ransomware platform. The two organizations responded in opposite ways. Caesars quickly negotiated and paid approximately $15 million to the ransomware group, described as roughly 0.1% of the company’s prior year revenue — an amount small enough that it would not have appeared material in an earnings call under other circumstances. Caesars recovered in relatively short order and resumed operations. MGM refused to pay, and the consequences were extensive: slot machines, ATMs, credit card machines, the MGM Rewards app, all brand websites, the check-in system, and digital room key systems were completely inoperable for most of 10 days. MGM publicly posted a job listing seeking a Red Hat Linux system administrator willing to work 10 hours per day, seven days a week at $110 per hour to rebuild its entire IT environment from the ground up. A post on social media described the situation for MGM employees as materially worse than publicly reported: no access to schedules, PTO hours, 401(k) information, timecard data, or attendance records, with employee Social Security numbers and bank information potentially compromised and minimal communication from management.
The pay-versus-recover debate has no clean answer. Paying transfers money to criminals, signals that you will pay, and puts a larger target on your back for future attacks — threat actors share information about which victims paid and how much. Not paying results in exactly what MGM experienced: extended operational disruption, revenue loss, employee data exposure, reputational damage, and the cost of rebuilding infrastructure that may exceed the ransom itself. The MGM outcome also produced a reported physical security failure: as the digital room key system went offline, the physical key fallback produced a situation where some keys were opening multiple rooms and elevator access across floors was improperly granted to guests, creating a physical security incident on top of the cyber incident. The correct organizational preparation is neither “we’ll pay” nor “we’ll refuse” as a policy — it is having sufficient offline backups and documented recovery procedures that the rebuild timeline is days rather than weeks, which removes most of the leverage the ransomware group holds.
Scattered Spider: Social Engineering and SIM Swapping, Not Zero-Days
CrowdStrike first reported on Scattered Spider in December 2022. The group is notable for what it does not do: it does not develop proprietary malware, it does not use zero-day vulnerabilities, and it does not rely on highly technical exploitation. Instead, Scattered Spider’s attacks consistently begin with one of three social engineering vectors: SMS phishing to harvest credentials, voice phishing calls to convince targets to hand over credentials or install remote access software, or SIM swapping to seize control of a target’s phone number and use it to bypass SMS-based two-factor authentication. Once inside a network, the group uses legitimate remote management tools — the same software that IT administrators use for remote access — rather than custom implants, which makes their presence harder to distinguish from normal administrative activity in network logs. For the MGM and Caesars attacks, the specific entry vector reported was a help desk social engineering call: attackers impersonated employees and convinced IT support to reset credentials, gaining initial access through the front door.
The broader implication is that the most sophisticated technical defenses in the world do not protect against a threat actor whose entire model is getting a help desk employee to reset credentials over the phone. Multi-factor authentication fatigue attacks — where the attacker repeatedly pushes MFA approval requests to the victim’s device until they approve one accidentally or out of annoyance — defeat SMS-based and push notification MFA. The defenses that matter against this specific attack model are: mandatory phishing-resistant MFA (hardware keys or passkeys, not SMS), strict identity verification protocols for help desk credential resets that cannot be bypassed by voice calls alone, and network segmentation so that initial access via a help desk account does not provide direct pathways to operational systems or ransomware deployment vectors. Scattered Spider is financially motivated and English-speaking, which makes their social engineering attacks particularly effective against English-speaking organizations where callers do not trigger immediate suspicion. The technical sophistication of the attack — minimal — is not a defense. The human vulnerability they exploit is reliable regardless of the perimeter controls surrounding it.





