In the shadowy corners of the dark web, young hackers from the U.S., U.K., and Canada met and teamed up with Russian ransomware hackers, becoming powerful partners in crime.
In the last year, ransomware hackers have targeted hospitals, pharmaceuticals, tech companies, and even Las Vegas' biggest hotels and casinos. Bryan Vorndran, the FBI's top cyber official, called ransomware an "enormous problem," and says no sector, company, or type of organization is off limits to hackers. There are estimates that global losses from ransom payments exceed $1 billion a year.
"Any way you look at the numbers, it's a problem for the global economy, and for the U.S. economy, and for the security of the United States," Vorndran said.
Scattered Spider hackers
A loose-knit group of predominantly native-English speaking hackers, called Scattered Spider by the FBI, are behind some of the recent ransomware attacks, Vorndran said. The group is also known as Star Fraud, UNC3944, and Octo Tempest. Scattered Spider hackers are considered experts in social engineering.
"Part of their success is because they are fluent in Western culture. They know how our society works," said Allison Nixon, chief research officer with the cybersecurity firm Unit 221B. "They know what to say to get someone to do something."
Scattered Spider is just one of many illicit hacking groups, all part of a sprawling collection of online criminals calling themselves "the Community," or "the Com" for short, Nixon said. She describes it as a new, but surprisingly disruptive online subculture. Members of the Com have hacked into companies like Microsoft, Nvidia and Electronic Arts, among others.
The number of people involved has exploded since 2018 from only a few hundred to thousands, Nixon said.
"They connect over the internet. Social spaces where people hang out. Gaming servers," Nixon said. "It's almost analogous to, like, maybe the back alley where the bad kids hang out but on the internet."
Those involved are largely males under the age of 25, though Nixon said teens as young as 13 have also been involved in pulling off major crimes.
Members communicate on messaging apps like Telegram – their chatter a toxic stew of racism and sexism. They often boast about the money they've scammed and how menacing they are.
"There are these toxic online spaces where young people can socialize and mingle with criminals and gang members," Nixon said. "And the end result of all of this is this online subculture has formed that glorifies crime, that measures one's personal worth by how much harm they can cause the world."
Hackers team up
Scattered Spider is one of the most sophisticated offshoots of the Com. Their criminal exploits have caught the attention of cybersecurity companies and earned the respect of other criminal hackers, including one of the most notorious Russian ransomware gangs, BlackCat, also known as ALPHV, who saw the young, native-English-speaking Westerners as a potential "force multiplier" for their ransomware attacks.
"Historically speaking, Russian cyber criminals did not like working with Western cyber criminals," Nixon said. "There was not only a language barrier, but also they kinda looked down on them and viewed them as unprofessional."
Scattered Spider uses its English and social engineering skills to break into companies and other entities. BlackCat provides its experience, platform and its malware, which has been used in some of the most consequential ransomware attacks in recent history.
Cybersecurity researchers believe that BlackCat is made up of former members of the Russian cybercriminal hacking group DarkSide/BlackMatter, which was responsible for the 2021 attack on Colonial Pipeline that caused gas shortages up and down the East Coast. And according to an FBI advisory, "Many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/BlackMatter, indicating they have extensive networks and experience with ransomware operations."
"It's called rebranding," said Jon DiMaggio, who is chief security strategist for cybersecurity company Analyst1. DiMaggio investigates ransomware and the relationships between different cybercriminal groups.
"With the ransomware as a service model, you have that core gang that's the service provider that is providing all these resources and attack services to make their job easy. And then you have the hackers who are the contractors that work for them," said DiMaggio.
Long-established Russian gangs, like BlackCat, offer their services — including the latest malware and experience negotiating ransoms and laundering money — to affiliate hacking groups, like Scattered Spider. If a victim pays a ransom, the funds are split.
Ransomware attacks bring companies to knees
Scattered Spider and BlackCat both claimed credit for the September 2023 ransomware attack on MGM Resorts, which cost the hotel and casino giant more than $100 million. It disrupted operations at a dozen of the most renowned hotels and casinos on the Las Vegas Strip: including MGM Grand, Aria, Mandalay Bay, New York-New York and the Bellagio.
Anthony Curtis, who publishes the "Las Vegas Advisor," was in an MGM property during the ransomware attack. He says people were left dumbfounded as thousands of slot machines suddenly stopped functioning properly.
"So all of a sudden now people are going 'How do I get my money? What's wrong?' And the people were sitting there waiting and couldn't get paid," Curtis said.
As a result of the cyberattack, elevators were malfunctioning, parking gates froze, and digital door keys wouldn't work. As computers went down, reservations locked up and lines backed up at the front desks.
"Anything that required technology was not working," Curtis said.
MGM Resorts declined a request for an interview, but at a conference a month after the hack, CEO and President Bill Hornbuckle admitted the disruptions were devastating.
"For the next four or five days with 36,000 hotel rooms and some regional properties, we were completely in the dark," Hornbuckle said at the conference.
The hackers demanded $30 million to unlock MGM's data. The company refused, but they still paid a price – an estimated $100 million in lost revenue, plus millions more to rebuild their servers.
Hackers got inside MGM's network using social engineering. They zeroed in on an employee, gathering information from the dark web and open sources, like LinkedIn. Next, a smooth-talking hacker impersonated the employee and called the MGM tech help desk. The hacker convinced tech support to reset his password. With that, the hacker was inside MGM's computers and unleashed destructive malware.
Curtis said it was the cyber criminals' version of an "Ocean's Eleven" heist.
"These hackers were able to turn the tables," Curtis said. "The casinos have their systems. They have their protections. They have their experts. They have their security. These guys are better."
Later, MGM's biggest competitor, Caesars, admitted it also suffered a social engineering attack around the same time. It's suspected it was by the same group. Caesars reportedly paid a $15 million ransom and did not suffer any disruptions.
"From an FBI perspective, our position is we recommend a ransom not be paid," Vorndran said. "But we understand it's a business decision during a time of crisis."
He declined to say if any arrests had been made in the Las Vegas cases.
Worries for future
Ransomware hacks have been growing more costly and disruptive every year and cyber security researchers fear it's going to get worse.
The Russian government provides a safe haven for Russian ransomware gangs, said DiMaggio. He added that as long as the hackers don't target organizations in Russia, they don't get prosecuted.
"It's crazy, right? That's how it works though," DiMaggio said.
The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms. The leadership are people in their 30s and 40s, DiMaggio said. They often have a financial background.
"There are people that specialize in developing malware and ransomware, and they're in very high demand," DiMaggio said.
Russian ransomware has become such a threat that the elite cyber warriors at the National Security Agency have joined the fight. Rob Joyce, who was the NSA's director of cybersecurity before retiring last month, said the Colonial Pipeline attack was a wakeup call.
"It caused us to step back and decide that we had to put more resources into this foreign threat," Joyce said. "That's the value NSA can bring is, we can identify people, specific people involved in some of these activities."
The NSA helped identify the Russian hacker responsible for the Colonial Pipeline attack. And in January 2022, after months of negotiations, Russia arrested him and other accomplices. But it all came undone five weeks later.
"Following the Ukraine invasion, those people were let out of jail," Joyce said.
And now, Russian hackers have teamed up with the young native-English speaking hackers of Scattered Spider. The FBI's Vorndran calls it an evolution of cybercrime.
"I think that it's important to know that we are against a very capable set of adversaries, they're very good at their work," he said. "We're also very good at our work."
In January, the FBI arrested a 19-year-old from Florida named Noah Urban on charges of stealing $800,000 in cryptocurrency. Urban has pleaded not guilty. Cyber investigators have tied him to Scattered Spider, but so far not to the casino heist. The Scattered Spider hackers who did pull off the attack on MGM are still online – hiding in plain sight – in unholy alliance with Russian hackers. Nixon calls what happened in Las Vegas a harbinger.
"The level of cybercrime has risen to the point where it feels overwhelming," she said. "And every year it gets worse. And it feels like as defenders, it's almost like we're winning every battle and losing the war."