Days before MGM’s computer systems were taken down in a cyberattack, casino operator Caesars paid out a ransom worth $15 million to a cybercrime group that managed to infiltrate and disrupt its systems, sources familiar with the matter told CNBC.
The cybercrime group has made a ransom demand to MGM as well, those sources told CNBC’s Contessa Brewer.
There have now been two highly disruptive attacks on the gaming industry in a matter of weeks. Caesars reported its incident in a U.S. Securities and Exchange Commission filing Thursday morning. The 8-K report, similar to one filed by MGM Resorts on Wednesday, acknowledges the hack as a material event.
The cybercrime group demanded a $30 million ransom from Caesars, but the company ultimately agreed to pay about half that, sources said. The costs will be partially mitigated by Caesars’ cyber insurance policies.
But Caesars does not anticipate the ransom payment or fallout will have a material effect on the company’s bottom line, according to the filing.
“Although members of the group may be less experienced and younger than many of the established multifaceted extortion and ransomware groups, they are a serious threat to large companies in the United States,” Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, told CNBC. “Many members are native English speakers and are incredibly effective social engineers.”
Bloomberg previously reported the ransom and that the same group is behind the attacks on both companies. The group, known as UNC3944 or Roasted 0ktapus, was also linked to the MGM attack by vx-underground, a widely followed cybersecurity researcher on X, formerly known as Twitter. Security researchers have connected the group to attacks on other companies, including Cloudflare, Okta and Twilio.
SEC rules require that companies file reports within four days of a “material” event. It wasn’t immediately clear why Caesars delayed filing the report disclosing the hack and ransom for weeks. The SEC pushed to introduce a new cybersecurity disclosure rule earlier this year, requiring that companies file an 8-K report disclosing the nature of a cyberattack and the effect on its business. That new rule kicks in by year-end.