Cybersecurity investigators worry ransomware attacks may worsen as young, Western hackers work with Russians
This is an updated version of a story first published on April 14, 2024. The original video can be viewed here.
In the past year -- hospitals, pharmacies, tech companies, Las Vegas' biggest hotels and casinos have been paralyzed by "ransomware" attacks, in which hackers break into a corporate network, encrypt, or lock up critical files and hold them hostage until a ransom is paid. As we first reported in April, it's a crime that has been growing more costly and disruptive every year. Now cybersecurity researchers fear it's about to get worse, with the emergence of an audacious group of young criminal hackers from the U.S., U.K. and Canada the FBI calls Scattered Spider. More troubling, they have teamed up with Russia's most notorious ransomware gang.
Last September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts – costing the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas strip: MGM Grand, Aria, Mandalay Bay, New York-New York, the Bellagio.
Anthony Curtis is a Las Vegas fixture. He's so good at counting cards, he's been banned from card games here. He now publishes the "Las Vegas Advisor," a monthly newsletter on all things Vegas.
Anthony Curtis: Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumbling that something was going on. When I went down into the casino, I could see then that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect.
Across the Vegas strip… thousands of slot machines suddenly stopped paying out.
Anthony Curtis: So all of a sudden now people are goin', "How do I get my money? What's wrong?" And the people were sitting there waiting and couldn't get paid.
Bill Whitaker: Were they angry?
Anthony Curtis: They were getting angry, yeah. And this was just the tip of the iceberg.
Elevators were malfunctioning… parking gates froze… digital door keys wouldn't work. As computers went down, reservations locked up and lines backed up at the front desks.
Anthony Curtis: Anything that required technology was not working.
Bill Whitaker: Sounds like chaos.
Anthony Curtis: Nobody knew what to do and including the employees. The employees just had to, you know, beg forgiveness and patience.
Bill Hornbuckle (at October conference): Look, it's corporate terrorism at its finest.
The company declined our interview request, but at a conference a month after the hack, MGM's CEO admitted the disruptions were devastating.
Bill Hornbuckle (at October conference): For the next four or five days with 36,000 hotel rooms and some regional properties we were completely in the dark.
The hackers demanded $30 million to unlock MGM's data. The company refused. But they still paid a price – $100 million in lost revenue and millions more to rebuild their servers.
So how did the intruders get in? Through a technique of deception and manipulation called social engineering. First hackers zeroed in on an employee, gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker, impersonating the employee, called the MGM Tech Help Desk and convinced them to reset his password.
With that, the hacker was inside MGM's computers and unleashed the destructive malware. Anthony Curtis says it was the cybercriminal's version of an Ocean's Eleven heist.
Anthony Curtis: They're doing it the old-fashioned way. I mean, they're doin' it the new way but with the old-fashioned goal. They wanna get the money.
Bill Whitaker: What do you make of that?
Anthony Curtis: I don't wanna be too glowing like I-- like I like these guys 'cause they're-- they're just crooks, right? But these hackers were able to turn the tables. The casinos have their-- they have their systems. They have their protections. They have their experts. They have their security. These guys are better.
Later, MGM's biggest competitor, Caesars, admitted it also suffered a social engineering attack around the same time, suspected by the same group. But Caesars paid a ransom, reportedly $15 million, and suffered no disruptions.
Bryan Vorndran: From an FBI perspective, our position is we recommend a ransom not be paid. But we understand it's a business decision during a time of crisis.
Bryan Vorndran is head of the FBI's Cyber Division. He told us ransomware attacks have grown increasingly brazen.
Bryan Vorndran: Any way you look at the numbers it's a problem for the global economy, and for the U.S. economy, and for the security of the United States. There's estimates that global losses exceed $1 billion U.S. per year.
Bill Whitaker: Have you made any arrests in the Las Vegas cases?
Bryan Vorndran: We're not gonna talk about specific cases or specific companies.
But he did point us toward the prime suspect.
Bryan Vorndran: When we talk about the actors behind some of the more recent ransomware attacks, the name that's generally raised is Scattered Spider. And that's a criminal group that we have a lot of attention on because of the havoc they're wreaking across the United States.
Scattered Spider is what the FBI calls a loose-knit web of predominantly native English-speaking hackers responsible for the casino hacks – and dozens more. Their specialty is social engineering.
Allison Nixon: Part of their success is because they are fluent in Western culture. They know how our society works. They know what to say to get someone to do something.
Allison Nixon is chief research officer at Unit 221b, a cybersecurity firm that focuses on English-speaking cybercriminals. She says Scattered Spider is just one of many illicit hacking groups -- all part of a sprawling collection of online criminals calling themselves "the Community, "or "the Com."
Allison Nixon: The Com is a subculture. It is specifically an English-speaking youth subculture that has arisen in the past few years. It's very new, but it's surprisingly disruptive.
Members of the Com have hacked into companies like Microsoft, Nvidia, and Electronic Arts.
Bill Whitaker: How many people are involved?
Allison Nixon: Years ago, it was maybe a few hundred people. But since 2018 the population has exploded because of the money coming into these groups. And there's thousands of people involved at this point.
Bill Whitaker: How are they connected?
Allison Nixon: They connect over the internet. Social spaces where people hang out. Gaming servers. It's almost analogous to like maybe the back alley where the bad kids hang out but on the internet.
Bill Whitaker: How old are we talking about?
Allison Nixon: Males under the age of 25.
Bill Whitaker: Under 25 down to how young?
Allison Nixon: Like 13, 14.
Bill Whitaker: Involved in pulling off major crimes?
Allison Nixon: Yeah.
Members communicate and post pictures on messaging apps like Telegram – their chatter, a toxic stew of racism, sexism... boasting about the money they've scammed, and how menacing they are.
Allison Nixon: There are these toxic online spaces where young people can socialize and mingle with criminals and gang members. And the end result of all of this is this online subculture has formed that glorifies crime, that measures one's personal worth by how much harm they can cause the world.
Scattered Spider is one of the most sophisticated offshoots of "the Com." Their criminal exploits caught the attention of cybersecurity companies… and other hackers… including the most notorious Russian ransomware gang, BlackCat. They saw the young native English-speaking Westerners as a force multiplier. Both claimed credit for the MGM attack.
Allison Nixon: Historically speaking, Russian cyber criminals did not like working with Western cyber criminals. There was not only a language barrier, but also they kinda looked down on them and viewed them as unprofessional.
The Russian and Western hackers met in the shadowy corners of the dark web and now are powerful partners in crime. Scattered Spider uses its English and social engineering skills to break into Western companies' networks. BlackCat provides its experience and its malware – used in some of the most shocking ransomware attacks.
…. including the 2021 attack on Colonial Pipeline, which caused gas shortages up and down the East Coast... and this year's attack on UnitedHealth Group, which disrupted pharmacies nationwide. The State Department is offering a $15 million reward for information on Russia's BlackCat.
Jon DiMaggio, a former analyst at the National Security Agency, now investigates ransomware as chief security strategist for the cybersecurity company Analyst1.
Jon DiMaggio: So there's a term. It's called "ransomware as a service," that's been given to the structure and the format of these gangs.
DiMaggio says "ransomware as a service" has taken the crime to a new level. The long-established Russian gangs, like BlackCat, offer their services – malware, experience negotiating ransoms and laundering money – to what they call "affiliates," like Scattered Spider.
Jon DiMaggio: So in return, when a victim pays an extortion, the profit that comes from it is now shared amongst those criminals.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms… 24-hour service desks … even human resources to hire software developers.
Jon DiMaggio: There are people that specialize in developing malware and ransomware, and they're in very high demand.
Bill Whitaker: You said you've gotten to know some of these people.
Jon DiMaggio: Yes.
Bill Whitaker: Are they mostly young men?
Jon DiMaggio: The leadership are-- are, you know, people in their 40s, late 30s. They're people who've got experience. They're people that have a financial background.
DiMaggio says the Russian government provides a safe haven for ransomware gangs.
Jon DiMaggio: As long as they don't target, you know, an organization that falls within Russia or the former Soviet state, they don't get prosecuted. It's not considered a crime.
Bill Whitaker: It's not considered a crime to attack American businesses?
Jon DiMaggio: It's crazy, right? That's-- that's how it works though.
Bill Whitaker: So it's like they operate with impunity.
Jon DiMaggio: 100%. That's the whole reason why this is such a popular crime.
Russian ransomware has become such a threat…the elite cyber warriors at the National Security Agency have joined the fight.
Before retiring last March, Rob Joyce was NSA's director of cybersecurity. He told us the Colonial Pipeline attack was a wake-up call.
Rob Joyce: It caused us to step back and decide that we had to put more resources into this foreign threat. So one of the things NSA has, we have hackers. And it really, at times, takes a hacker to defeat a hacker. That's the value NSA can bring is, we can identify people, specific people involved in some of these activities.
The NSA helped identify the Russian hacker responsible for the Colonial Pipeline attack. And in January 2022 – after months of negotiations – Russia arrested him and other accomplices. But five weeks later – it all came undone.
Rob Joyce: Following the Ukraine invasion, those people were let outta jail.
Bill Whitaker: So they're back in business?
Rob Joyce: Yes, sir.
And now, they've teamed up with the young native English speakers of Scattered Spider. The FBI's Bryan Vorndran calls it an evolution of cybercrime.
Bryan Vorndran: In the case of Scattered Spider, is it powerful that they are with BlackCat? Of course. I think that it's important to know that we are against a very capable set of adversaries, they're very good at their work. We're also very good at our work.
In January, the Bureau arrested a 19-year-old from Florida, Noah Urban, charged with stealing cryptocurrency. He's pleaded not guilty. Cyber investigators have tied him to Scattered Spider, but so far not to the casino heists. Last month, two more arrests, both tied to Scattered Spider, one allegedly involved in the casino hack. Others are still out there hiding in plain sight. Allison Nixon calls Las Vegas a harbinger.
Allison Nixon: The level of cybercrime has risen to the point where it feels overwhelming. And every year it gets worse. And it feels like as defenders we're-- it's almost like we're winning every battle and losing the war.
Produced by Graham Messick. Associate producer, Jack Weingart. Field associate producer, Eliza Costas. Broadcast associate, Mariah B. Campbell. Edited by Matthew Lev.