Scattered Spider executed a sophisticated cyberattack on MGM Resorts, leveraging advanced social engineering and hypervisor-level ransomware tactics. The attack resulted in operational disruptions, financial losses exceeding $100 million, and significant reputational damage. The group exploited VMware vSphere environments, deployed DragonForce ransomware, and maintained persistent access despite active incident response efforts.
Source: https://cybersecuritynews.com/scattered-spider-threat-actor-profile/
TPRM report: https://www.rankiteo.com/company/mgm-resorts-international
"id": "mgm301080925",
"linkid": "mgm-resorts-international",
"type": "Ransomware",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Hospitality',
'location': 'United States',
'name': 'MGM Resorts',
'type': 'Corporation'},
{'industry': 'Hospitality',
'location': 'United States',
'name': 'Caesars Entertainment',
'type': 'Corporation'}],
'attack_vector': 'Social Engineering, Phishing, SIM Swapping, '
'Hypervisor-Level Attacks',
'data_breach': {'data_encryption': 'Yes', 'data_exfiltration': 'Yes'},
'description': 'Scattered Spider, a sophisticated cybercriminal group, has '
'evolved from basic phishing operations to complex multi-stage '
'ransomware campaigns targeting critical infrastructure. The '
'group has shifted to hypervisor-level attacks and adopted new '
'ransomware variants, posing a significant threat to security '
'professionals worldwide.',
'impact': {'financial_loss': '$100 million (MGM Resorts attack)',
'operational_impact': 'Significant operational disruption',
'systems_affected': 'VMware vSphere, ESXi environments, Cloud '
'storage environments'},
'initial_access_broker': {'entry_point': 'Social Engineering, Phishing',
'high_value_targets': 'VMware vSphere, ESXi '
'environments, Cloud storage '
'environments'},
'lessons_learned': 'The incident highlights the need for comprehensive '
'identity governance, advanced behavioral analytics, and '
'security architectures that assume compromise rather than '
'attempting to prevent all intrusions.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Enhance identity and access '
'management, improve help '
'desk security procedures, '
'and implement advanced '
'behavioral analytics.',
'root_causes': 'Sophisticated social engineering, '
'abuse of legitimate administrative '
'tools, and targeting of '
'virtualization infrastructure.'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'DragonForce'},
'recommendations': 'Implement phishing-resistant multi-factor authentication, '
'enhance help desk security procedures, secure '
'virtualization infrastructure, and improve cloud security '
'measures.',
'references': [{'source': 'Cybersecurity Reports'}],
'threat_actor': 'Scattered Spider (UNC3944, Octo Tempest, 0ktapus, Muddled '
'Libra, Scatter Swine)',
'title': 'Scattered Spider Cyber Attacks',
'type': 'Cyber Attack, Ransomware, Social Engineering'}