In the past year -- hospitals, pharmacies, tech companies, Las Vegas' biggest hotels and casinos have been paralyzed by "ransomware" attacks, in which hackers break into a corporate network, encrypt, or lock up critical files and hold them hostage until a ransom is paid. It's a crime that has been growing more costly and disruptive every year. Now cybersecurity researchers fear it's about to get worse, with the emergence of an audacious group of young criminal hackers from the U.S., U.K. and Canada the FBI calls Scattered Spider. More troubling, they have teamed up with Russia's most notorious ransomware gang.
This past September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts – costing the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas strip: MGM Grand, Aria, Mandalay Bay, New York-New York, the Bellagio.
Anthony Curtis is a Las Vegas fixture. He's so good at counting cards, he's been banned from card games here. He now publishes the "Las Vegas Advisor," a monthly newsletter on all things Vegas.
Anthony Curtis: Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect.
Across the Vegas strip… thousands of slot machines suddenly stopped paying out.
Anthony Curtis: So all of a sudden now people are goin', "How do I get my money? What's wrong?" And the people were sitting there waiting and couldn't get paid.
Bill Whitaker: Were they angry?
Anthony Curtis: They were getting angry, yeah. And this was just the tip of the iceberg.
Elevators were malfunctioning… parking gates froze… digital door keys wouldn't work. As computers went down, reservations locked up and lines backed up at the front desks.
Anthony Curtis: Anything that required technology was not working.
Bill Whitaker: Sounds like chaos.
Anthony Curtis: Nobody knew what to do and including the employees. The employees just had to, you know, beg forgiveness and patience.
Bill Hornbuckle (at October conference): Look, it's corporate terrorism at its finest.
The company declined our interview request, but at a conference a month after the hack, MGM's CEO admitted the disruptions were devastating.
Bill Hornbuckle (at October conference): For the next four or five days with 36,000 hotel rooms and some regional properties we were completely in the dark.
The hackers demanded $30 million to unlock MGM's data. The company refused. But they still paid a price – $100 million in lost revenue and millions more to rebuild their servers.
So how did the intruders get in? Through a technique of deception and manipulation called social engineering. First hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker, impersonating the employee, called the MGM Tech Help Desk and convinced them to reset his password.
With that, the hacker was inside MGM's computers and unleashed the destructive malware. Anthony Curtis says it was the cybercriminal's version of an Ocean's Eleven heist.
Anthony Curtis: They're doing it the old-fashioned way. I mean, they're doin' it the new way but with the old-fashioned goal. They wanna get the money.
Bill Whitaker: What do you make of that?
Anthony Curtis: I don't wanna be too glowing like I-- like I like these guys 'cause they're-- they're just crooks, right? But these hackers were able to turn the tables. The casinos have their-- they have their systems. They have their protections. They have their experts. They have their security. These guys are better.
Bryan Vorndran, head of the FBI's Cyber Division, shared insights on dealing with ransomware attacks. According to Vorndran, the FBI recommends against paying a ransom, but acknowledges that it's a business decision made in times of crisis.
Vorndran highlighted the increasing boldness of ransomware attacks in recent times. He emphasized the detrimental impact of these attacks on the global and U.S. economy, with estimated losses exceeding $1 billion per year.
When questioned about specific cases, Vorndran refrained from discussing details but mentioned a prime suspect in recent ransomware incidents. Known as Scattered Spider, this criminal group of predominantly English-speaking hackers is a focus of FBI investigations due to the widespread damage they have caused, including high-profile casino hacks.
Scattered Spider's expertise lies in social engineering, making them a significant threat to cybersecurity across the United States.
Allison Nixon: Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.
Allison Nixon is chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals. She says Scattered Spider is just one of many illicit hacking groups -- all part of a sprawling collection of online criminals calling themselves "the Community," or "the Com."
Allison Nixon: The Com is a subculture. It is specifically an English-speaking youth subculture that has arisen in the past few years. It's very new, but it's surprisingly disruptive.
Members of the Com have hacked into companies like Microsoft, Nvidia, and Electronic Arts.
Bill Whitaker: How many people are involved?
Allison Nixon: Years ago, it was maybe a few hundred people. But since 2018 the population has exploded because of the money coming into these groups. And there's thousands of people involved at this point.
Bill Whitaker: How are they connected?
Allison Nixon: They connect over the internet. Social spaces where people hang out. Gaming servers. It's almost analogous to like maybe the back alley where the bad kids hang out but on the internet.
Bill Whitaker: How old are we talking about?
Allison Nixon: Males under the age of 25.
Bill Whitaker: Under 25 down to how young?
Allison Nixon: Like 13, 14.
Bill Whitaker: Involved in pulling off major crimes?
Allison Nixon: Yeah.
Members communicate and post pictures on messaging apps like Telegram – their chatter, a toxic stew of racism, sexism... boasting about the money they've scammed, and how menacing they are.
Allison Nixon: There are these toxic online spaces where young people can socialize and mingle with criminals and gang members. And the end result of all of this is this online subculture has formed that glorifies crime, that measures one's personal worth by how much harm they can cause the world.
Scattered Spider is one of the most sophisticated offshoots of "the Com." Their criminal exploits caught the attention of cybersecurity companies… and other hackers… including the most notorious Russian ransomware gang, BlackCat. They saw the young native English-speaking Westerners as a force multiplier. Both claimed credit for the MGM attack.
Allison Nixon: Historically speaking, Russian cyber criminals did not like working with Western cyber criminals. There was not only a language barrier, but also they kinda looked down on them and viewed them as unprofessional.
The Russian and Western hackers met in the shadowy corners of the dark web and now are powerful partners in crime. Scattered Spider uses its English and social engineering skills to break into Western companies' networks. BlackCat provides its experience and its malware – used in some of the most shocking ransomware attacks.
…. including the 2021 attack on Colonial Pipeline, which caused gas shortages up and down the East Coast... and this year's attack on UnitedHealth Group, which disrupted pharmacies nationwide. The State Department is offering a $15 million reward for information on Russia's BlackCat.
Jon DiMaggio, a former analyst at the National Security Agency, now investigates ransomware as chief security strategist for the cybersecurity company Analyst1.
Jon DiMaggio: So there's a term. It's called "ransomware as a service," that's been given to the structure and the format of these gangs.
DiMaggio says "ransomware as a service" has taken the crime to a new level. The long-established Russian gangs, like BlackCat, offer their services – malware, experience negotiating ransoms and laundering money – to what they call "affiliates," like Scattered Spider.
Jon DiMaggio: So in return, when a victim pays an extortion, the profit that comes from it is now shared amongst those criminals.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms… 24-hour service desks … even human resources to hire software developers.
Jon DiMaggio: There are people that specialize in developing malware and ransomware, and they're in very high demand.
Interviewer: You mentioned that you have built relationships with some of these individuals.
Respondent: Indeed.
Interviewer: Can you describe the demographic of these individuals?
Respondent: The leaders are typically in their late 30s to 40s. They possess a wealth of experience and come from financial backgrounds.
The individual we interviewed reveals that Russian authorities offer a safe harbor for ransomware groups.
Respondent: As long as they avoid targeting organizations within Russia or the former Soviet states, they are not pursued legally. It's not even considered a crime.
Interviewer: So, attacking American businesses is not deemed illegal?
Respondent: It's hard to believe, isn't it? But that's the reality.
Interviewer: Essentially, they can operate without fear of consequences.
Respondent: Absolutely. That's why this type of crime is so prevalent.
The threat of Russian ransomware has escalated to the point where the top cyber experts at the National Security Agency have stepped in to combat it.
Prior to his recent retirement, Rob Joyce served as the NSA's cybersecurity director. According to him, the attack on the Colonial Pipeline served as a crucial wake-up call.
NSA's Efforts Against Cyber Threats
In response to the increasing foreign cyber threats, Rob Joyce from the NSA emphasized the need for more resources to combat these challenges. He highlighted the value of having hackers within the NSA to counter cyber threats effectively, as sometimes it takes a hacker to defeat a hacker.
The NSA played a crucial role in identifying the Russian hacker behind the Colonial Pipeline attack. After months of negotiations, Russia arrested the hacker and his accomplices in January 2022. However, following the Ukraine invasion, these individuals were released from jail, allowing them to resume their illicit activities.
Collaborating with the young native English speakers of Scattered Spider, these hackers have evolved their cybercrime tactics. Bryan Vorndran from the FBI acknowledged the capabilities of these adversaries and emphasized the importance of staying vigilant in the face of such threats.
Recent arrests, like that of 19-year-old Noah Urban from Florida for cryptocurrency theft, shed light on the connections to groups like Scattered Spider. Despite ongoing investigations, the hackers involved in the casino heists remain at large, forming alliances with other cybercriminals. Allison Nixon warns that the situation in Las Vegas could be a sign of things to come.
Allison Nixon expressed her concern about the increasing level of cybercrime, stating that it has reached a point where it feels overwhelming. She emphasized that every year the situation worsens, and as defenders, it seems like they are winning every battle but losing the overall war.
Produced by Graham Messick. Associate producer, Jack Weingart. Field associate producer, Eliza Costas. Broadcast associate, Mariah B. Campbell. Edited by Matthew Lev.