Caesars paid millions in ransom to cybercrime group prior to MGM hack

Days before MGM’s computer systems were taken down in a cyberattack, casino operator Caesars paid out a ransom worth $15 million to a cybercrime group that managed to infiltrate and disrupt its systems, sources familiar with the matter told CNBC.

The cybercrime group has also made a ransom demand to MGM as well, those sources told CNBC’s Contessa Brewer.

There have now been two highly disruptive attacks on the gaming industry in a matter of weeks. Caesar’s reported their incident in a Securities and Exchange Commission filing Thursday morning. The 8-K report, similar to one filed by MGM Resorts on Wednesday, acknowledges that the hack as a material event.

The cybercrime group demanded a $30 million ransom from Caesars, but the company ultimately agreed to pay around half that, sources said. The costs will be partially mitigated by Caesar’s cyber insurance policies.

But Caesars does not anticipate the ransom payment or fallout will have a material impact on the company’s bottom line, according to the filing.

“Although members of the group may be less experienced and younger than many of the established multifaceted extortion and ransomware groups, they are a serious threat to large companies in the United States,” Charles Carmakal, chief technology officer at Google Cloud’s Mandiant, told CNBC. “Many members are native English speakers and are incredibly effective social engineers.”

Bloomberg previously reported the ransom and that the same group is behind the attacks on both companies. The group, known as UNC3944 or Roasted 0ktapus, was also linked to the MGM attack by vx-underground, a widely followed cybersecurity researcher on X, formerly known as Twitter. Security researchers have connected the group to attacks on other companies, including Cloudflare, Okta, and Twilio.

SEC rules require that companies file reports within 4 days of a “material” event. It wasn’t immediately clear why Caesars delayed filing the report disclosing the hack and ransom for weeks. The SEC pushed to introduce a new cybersecurity disclosure rule earlier this year, requiring that companies file an 8-K report disclosing the nature of a cyberattack and the impact on its business. That new rule kicks in by year-end.