Las Vegas – MGM Resorts International’s refusal to pay ransom to hackers who disrupted their systems cost the company an estimated $30-40 million, but experts say it was the right move to avoid setting a dangerous precedent.
In early September, MGM was hit by a ransomware cyberattack that brought down reservation systems and other operations nationwide. The hackers demanded an unspecified amount of money to restore access. Rather than give in, MGM chose to weather the disruption, a decision that ultimately lasted over two weeks and impacted hotels, casinos, and events across its properties.
“Just like the FBI or any federal law enforcement agency will tell you, the best way to deal is not to pay. The more organizations pay, the more cybercriminals are going to keep doing it,” said National Cybersecurity Alliance Executive Director Lisa Plaggemier in an interview. She commended MGM for taking a stand despite the costs.
The attack forced MGM to manually check-in guests, issue room keys, and pay out slot machine winnings in Las Vegas. Several shows and concerts were canceled. Their online reservation system crashed, prompting MGM to waive cancellation and change fees during the crisis.
MGM likely lost $8-10 million per day
According to experts, MGM likely lost $8-10 million per day, racking up costs far beyond the ransom amount. However, the move avoids setting a dangerous precedent of paying off criminals that could lead to more attacks.
“At the end of the day, they’re criminals,” Plaggemier explained. “Considering that you know these are individuals who did this in the first place, are you really going to take their word for it?”
The stance contrasts with competitor Caesars Entertainment, which opted to pay hackers $15 million when faced with a similar attack just weeks prior. Caesars’ operations were restored quickly, leading to questions over whether MGM should have also paid. But experts argue Caesars’ payout could encourage repeats, whereas MGM’s refusal sends a strong statement.
Over two weeks after the initial attack, MGM’s systems are coming back online. Their reservations system was restored last week, and staffing has been increased to manually handle guest needs. The company says they will continue waiving fees and compensating guests impacted during the recovery process.
Though the costs were steep, analysts say MGM took a long-term view. “This was an investment in their security posture going forward,” said Stanton Coville, a cybersecurity lecturer at University of Las Vegas. “Paying ransoms invites copycat attacks, but refusing shows you won’t cave to criminals.”
Professor Alina Matryokhina, a cybersecurity expert at UNLV, agreed. “Paying ransoms is akin to bribing kidnappers and only fuels further criminal activity,” she explained. “Companies must take a united stand, or these attacks will keep escalating.”
With digital operations increasingly critical to casinos, resorts are obvious targets for hackers. Both MGM and Caesars have said they will boost security investments after the attacks.
Nevada Gaming Control Board Chair J. Brin Gibson said regulators are working closely with casinos to ensure oversight and security of gaming systems. “Cyber risks pose a growing threat to our licensees,” he acknowledged. “We’re committed to ensuring defences are adequate.”
For now, Las Vegas remains on high alert for copycats seeking quick payouts. “These attacks highlight vulnerabilities in the digital economy,” said Tony Delgado, founder of Las Vegas-based Disrupt, a cybersecurity firm. “All businesses need to re-examine defences against ransomware.”
MGM is still tallying the full financial impact, but Delgado projects costs around $30-40 million. The months-long recovery underscores why some wanted MGM to cave.
Ultimately, the move may save money in the long run by avoiding emboldening hackers. As Plaggemier summarized, “You have to think about the broader consequences, not just the short-term costs.”
MGM’s 15-day disruption dealt a major blow, but cybersecurity experts overwhelmingly agree the company’s refusal to pay ransom was the right move. In the modern digital economy, the precedent and deterrence carries far more weight than any single attack.