A 17-year-old boy has been arrested in Walsall, England, on suspicion of being involved in the ransomware attack against MGM Resorts.
West Midlands Police confirmed the arrest in a press release late on Friday, saying the action was part of a larger campaign involving both the UK's National Crime Agency (NCA) and the FBI.
“We have arrested a 17-year-old boy from Walsall in connection with a global cybercrime group that has been targeting large organisations with ransomware and gaining access to computer networks,” the notice reads.
Names, addresses and phone numbers
“The suspect was arrested on suspicion of offences relating to the Blackmail and Computer Misuse Act and has been released on bail while we continue our enquiries,” police added. “We also recovered evidence at the address, including a number of digital devices which will be subject to forensic examination.”
In September 2023, a hacking collective known as Scattered Spider attacked the computer systems of MGM Resorts International, affecting some casino and hotel computer systems, including the company's website. Mandiant Intelligence CTO Charles Carmakal spoke on LinkedIn about the group, also known as UNC3944, calling it “one of the most prevalent and aggressive threat actors affecting organizations in the United States today.”
The attackers reportedly used vishing (voice phishing) to call an MGM Resorts employee and pose as IT helpdesk. They then obtained network access credentials, allowing them to deploy the ransomware, which ultimately cost the company money. At least 100 million dollars.
The attack sparked an investigation by the FBI, which West Midlands Police confirmed is now investigating Scattered Spider.
“The arrest is part of a global investigation into a large-scale hacking community that has targeted several major companies, including MGM Resorts in the United States.”
Detective Inspector Hinesh Mehta, head of ROCUWM's cybercrime unit, warned cybercriminals to stop targeting businesses with ransomware: “We want to send a clear message: we will find you. It's just not worth it.”