MGM Resorts Ransomware Attack: Disaster Recovery as a Malware Defense

ransomware attack server room

MGM Resorts reported an active Ransomware incident starting on September 11th, and as of September 17th, it had not fully recovered. Rumors are that the company did not pay the ransom and is “recovering” its systems.

It makes you wonder, if a company like MGM Resorts, with all of its available resources, is struggling with a ransomware attack, what does that mean for the everyday company, not on its scale? After all, cyber criminals attack companies of all sizes.

I previously wrote about the concept of using the cloud to test and perfect your malware defenses. The main point is that the cloud could be a safe way to test your preventative measures in a live sandbox environment without the risk of actual contamination.

Why didn’t MGM switch to its Disaster Recovery (DR) system? You would think it would have a mirror of its production systems, and it could “switch over” in such events. Most DR systems are designed to switch over in minutes or hours, but not days or never. There are a few possibilities. One might be that its DR system was also impacted by the attack. The other is that its DR model likely did not include shared components essential to its overall operation, which seems unlikely.

With the complexity of today’s IT network, “everything is connected to everything.” MGM probably has a mature DR architecture, but since all the components of the DR system were most likely visible over their primary IT network, the malware impacted those DR systems as well.

How do you defend against ransomware? 

Here are a few ideas to consider. These ideas were described by a company impacted by ransomware. In addition to using state-of-the-art security and commercial packages to detect intrusions, they built an additional series of “moats” around their castle.

This company created a second copy of its DR system called “shadow DR.” It significantly restricted the inbound communications to it from on-prem and used a one-way “Dropbox” mechanism to transfer database log files and application data to the shadow DR system. By default, it is impossible to inbound SSH or connect to any of the shadow DR servers directly from on-prem. It has a separate mechanism to enable that ability when needed.

In addition, it used IBM midrange servers based on IBM Power to host its databases in the shadow DR. On-prem, all of its architecture is based on x86 running Linux and Windows. This architecture includes the core databases that drive most of its applications. In the shadow DR, it hosts its core databases and application components on IBM Power, running AIX. AIX is a version of Unix specific to the IBM Power platform. It is not binary compatible with x86. That is the key. So a malware binary engineered to run on an x86 system, running Linux or Windows, won’t run on Power AIX.

The Power AIX system still runs a database like Oracle, so all the data is completely compatible between on-prem and the shadow DR, but the CPU architectures are different. There is no way to execute a ransomware binary compiled for x86 on a Power-based system. The same technique would work using the midrange operating system called IBM i. It isn’t binary compatible with anything x86, though it still runs many popular databases and other commonly used business application packages.

Lessons learned from MGM’s ransomware attack

Eventually, we will hear more details of what happened at MGM. There are rumors of “social engineering” being the root cause of how the episode started. Regardless of how it began, the lessons for everyone to take away are:

  1. Have a documented disaster recovery plan that includes natural disasters and ransomware attacks. Most DR plans only include natural disasters.
  2. Figure out a way to practice a ransomware-based DR event. Simulate and practice a malware attack, as suggested in our previous article.
  3. Is your primary DR system directly visible over your IT corporate network? Could the components of it be discovered? DR server visibility is typically not an issue when designing a DR system for natural disasters. For ransomware attacks, hiding a copy of our DR system using a “shadow DR” technique might be worth looking into.

If you are curious about the built-in ransomware defenses of AIX check out theses links:

AIX Secure Boot protecting against malicious programs during boot time

AIX Allow Listing for whitelists on allowed executables during runtime

Disaster Recovery with Skytap

Skytap gives your business the ability to replicate complete production environments in the cloud in their native formats, making it an ideal DR solution and giving your business the peace of mind that data and applications are always accessible. Learn more about Skytap for Disaster Recovery.

Meet the author:
Tony Perez – Cloud Solutions Architect at Skytap

Join our email list for news, product updates, and more.