GGB is committed to providing updated news and analysis on our weekly news site,

Under Attack

What to do when your casino is held for ransom

Under Attack

There are two types of casinos: those that have been held for ransom and those that will be. We’re hearing about ransom attacks at the rate of about one per month, and this is likely to only be the tip of the iceberg. What is even more frightening is that the ransom stories being told are about how operators are paying to reopen; these ransoms are emboldening well-organized teams of “ransomers” to infiltrate gaming organizations large and small.

Your organization needs to prepare for ransomware attacks— the best time to do this was five years ago, the second-best time is now.

Ransomware Attackers Have Infiltrated Casinos

Gaming systems, a decade ago, were protected by obscurity during a time when any information about them was difficult to obtain and they were isolated from the world outside of gaming; today, this is no longer the case.

One might consider the gaming system being used at their property—it is probable that systems running the operations were developed sometime between 25 and 35 years ago along with a wide array of additional systems, inherently adding a possible point of weakness for each new system, and the casino operations are dependent on these systems to run the business. In today’s world, cyber agents are not only able to find information about obscure gaming systems, but they have experience attacking them and are actively infiltrating the casino industry with increasing success via ransomware attacks.

We can see in other industries, as the criminals concentrate on evolving their attacks at an industry vertical, they develop specialized techniques for the victimized industry of their choice. Furthermore, ransomware attackers become more proficient and continue to refine their malicious tactics with each attempt to hack a business, gaining insight about how to target attacks in that industry with greater efficacy.

The health care industry is one that is undoubtedly familiar with the relentlessness of cyberattacks after having cost the industry an amount in excess of $20 billion over just the last five years. The gaming industry needs to learn from the experience of these other industries to prepare for the oncoming ransomware attacks.

Casinos are prime candidates for ransomware attacks, as massive amounts of cash touching their gaming systems create a highly motivating incentive for cybercriminals to target your industry. In addition to the massive cash incentive hackers seek though carrying out ransomware attacks, it is important to be aware of the significant risk that is accompanied with the highly sensitive information in a casino’s customer database.

Therefore, it is not just the casinos that are being threatened by cybercriminals; your customers are just as much of a target. Consider what a criminal holding a casino ransom might do with the information including high- net-worth individuals’ data, such a their behavioral and spending patterns.

On top of the tremendous deliberation, yet immediate action, required during a ransomware attack in which the result of any decision made is anything but certain, your casino is having to mitigate the damage that has been done to the customer relationships. Even if your casino is fortunate enough to have skated by without its customers being personally attacked during the cyber breach, will the customers even return once the property has reopened if trust has been lost?

For properties fortunate enough to have not been successfully attacked by a hacker yet—and especially those that have—that don’t already have a substantial cybersecurity defense in place, it is well past time to implement a comprehensive cyber defense into your operating budget, because more likely than not, your organization is already exposed to thousands of attempted cyberattacks every month.

Recognizing Ransomware Attacks

Ransomware attacks are one of the most difficult cyberattack methods to combat, so it is important to be mindful of how they present themselves and the undoubted fact that they are actively attempting to breach the casino systems. Pretty much anyone who has ever had an email account has probably received at least one, if not hundreds of terribly obvious phishing emails and sent them to the trash bin.

However, it is imperative to remain cognizant of phishing emails that are not as obvious as one might assume. It is unsettling how shockingly simple it is for anyone to send an email from a fake address that rather legitimately appears to be the manager of the employee who failed to recognize that something wasn’t quite right about the message.

There are dozens of fundamental computer systems within a gaming operation, so it is important to always be aware of any known issues and make sure that only those who should be aware of these faults are the only ones with knowledge of their existence, because ransomware agents are able to take advantage of these weaknesses to begin attacking the systems.

These opportunities for cyberattackers include zero-day vulnerabilities. These zero-day attacks are attacks that take place through known weaknesses in core systems, such as Microsoft Windows. These attacks are virtually unstoppable. Attackers can, for example, initiate zero-day attacks at organization-issued iPhones. Consider that the web browser Chrome experienced and resolved at least six zero-day flaws last year; hopefully this example sheds some perspective on how very much possible—or more so, likely—this is at your property.

Trojan horses are another common threat that imposes hidden malicious code onto a legitimate software program after initially making its way onto the device through a downloaded software that appears to be legitimate by the victim of downloading it. Cybercriminals even attempt to bribe casino employees as a means of obtaining internal information or access.

Ransomware Defense: Steps for Mitigation

The first step in mitigation is to install a redundant gaming system at the property. By implementing this system, the property will be enabled to continue operations by merely switching to the redundant gaming system in the event of a ransomware cyberattack. The backup gaming system, albeit a likely imperfect solution, will accomplish the job of keeping the business open.

The backup system that runs on the second SAS port should allow for it to instantly fail down to an entirely different physical environment. Starting this system in passive monitoring mode, it can then be switched to an active gaming system if the property perceives a cyberattack taking place. When taking this step, in order for it to remain effective in the event of a ransomware attack, the organization will need make sure that real-time player card, points, and promotion data are maintained.

Another part can be added to this first recommended step as an additional security measure: implement a manual system at the property. This will be tremendously useful in the event that the ransomware attack imposes a complete system lockdown.

The second action that should always be taken is probably the most obvious; back up the property’s casino data. Backups should be running every minute, and are good practice to implement if the operation is not already doing so. In addition to data backups serving as a crucial method of steering clear of encryption attacks due to the possibility that the encrypted data can perhaps be restored, backups also serve the purpose of ensuring that the organization can be restored to business as usual in case a power outage occurs, while minimizing the loss of information.

Isolating and segmenting the casino’s systems is the third step. The systems are running on a physical network, so make sure that the necessary gaming systems are capable of completely being isolated from the external environment and any other systems. This process of ensuring complete isolation can be expected to require diligent planning, keeping in mind that some games—wide-area progressives, for example—will require external connection. By taking this precaution to create complete isolation, a casino will allow the organization to entirely cut off critical systems and allow for logins.

The fourth step, running full cybersecurity defense mechanisms, will be an increasingly useful tool in defending against certain ransomware attacks. These highly sophisticated cyber defense mechanisms go much further than basic penetration testing, extending the use of artificial intelligence (AI)- and machine learning (ML)-based active monitoring tools to identify the existence of unusual sequences of input/output functions.

For example, a conspicuous change in an operation’s daily incremental backup volume will alert system administrators. In addition to being an essential indicator that a ransomware attack on the casino is happening before a human would be able to realize it, it is incredibly useful as it helps identify the most recent known good backup during the process of recovering.

A fully implemented cybersecurity defense mechanism accompanied by a well-resourced cybersecurity defense team that constantly monitors cyber protection will prove to be an immensely valuable asset to the casino’s cybersecurity efforts. The aforementioned AI/ML applications aren’t a perfect defense on their own despite providing additional significant layers of protection to an operation’s cyber defense; therefore, the software used in conjunction with a serious cyber security defense team should be an essential part of every gaming operation’s budget.

Without taking these more drastic security measures and ensuring that a cyber defense budget is in place for them, the casino will be spotted by cyberattackers as an easy target and should start planning their ransomware defense now because it will only be a matter of time until the attack commences, if it is not happening already.

Fighting Cyber Crime

Taking precaution and having active defenses against ransomware attackers is an absolutely necessary element of a secure gaming operation in today’s world. Even more so, it is necessary to maintain the integrity of the business operation and continuing to earn the trust it requires from its patrons.

Should a casino choose not to take additional cybersecurity measures, you might want to consider whether you are prepared, both personally and professionally, to take on the excruciating hassle of attempting to cope with a cybercriminal. If that somehow seems like a manageable task to anyone, then a substantial amount of your budgeting should be dedicated to purchasing Bitcoin in preparation for paying the ransom of your next attack.

However, keep in mind that the cybercriminal could very well take the untraceable currency and whatever other demands the casino has ceded to without returning whatever casino assets they held ransom. Additionally, ceding to a hacker’s demands simply encourages these cybercriminals to further engage in illegal behavior and is generally regarded as a very bad idea by the intelligence community.

Committing to cybersecurity defense, on the other hand, will be a much a more valuable and efficient use of time and resources for your casino.

  • The ransomware attacks have discovered casinos. These ever-more-sophisticated ransomware attacks are specifically targeting your backup data and administrator functions to disable the ability to restart the organization.
  • Your gaming operation, once protected by obscurity, faces the growing threat of increasingly sophisticated ransomware, with successful attacks being launched by criminals against gaming organizations from around the world.
  • Ransomware is a part of a broader cyberattack that could involve compromising your key personal, critical systems and administrative functions.
  • Ensure your property is ready to run in a protected cocoon. Land-based properties have one major advantage in that you can run unconnected from the internet. Have a process in place to do this and practice this isolation plan.
Andrew Cardno is an established thought leader in visual analytics, with over 21 years of experience in the field. He has led private Ph.D./masters research teams in visualization/development for over 15 years, which won Cardno two Smithsonian Laureates and more than 12 innovation awards.