On a Wednesday morning in late 2023, guests at MGM Resorts properties across the Las Vegas Strip discovered that digital room keys had stopped working, slot machines had gone dark, and the check-in process had reverted to pen and paper. Hundreds of miles away, nurses at Ascension hospitals in multiple states were told to stop using electronic health records and start documenting patient care by hand. Ambulances were rerouted. Surgeries were delayed. In both cases, the cause was the same: ransomware operators had burrowed into critical systems and detonated encryption payloads that brought sprawling organizations to a halt.
These were not isolated events. Over the past three years, ransomware crews have repeatedly demonstrated the ability to strike across unrelated industries in rapid bursts, exploiting the same class of vulnerabilities in remote-access tools and authentication protocols. Hospitals, casinos, law firms, manufacturers, and convention venues share more digital infrastructure than most people realize, and attackers know it. The result is a threat landscape where a single campaign can ripple across sectors, locking out organizations that have nothing in common except a misconfigured VPN or a missing software patch.
The MGM breach: a nine-figure case study
MGM Resorts International provided one of the most transparent public accounts of ransomware damage ever filed by a major corporation. In a September 2023 regulatory filing with the Securities and Exchange Commission, the company disclosed that it had shut down certain systems, engaged outside cybersecurity experts, and launched an investigation into the scope of the intrusion.
A follow-up SEC filing put a number on the wreckage: roughly $100 million in negative impact to Adjusted Property EBITDAR across its Las Vegas Strip Resorts and Regional Operations. That figure, reviewed by legal counsel and auditors before it reached investors, captures lost revenue and remediation costs and remains one of the most precisely quantified ransomware losses on record. The company reportedly declined to pay the ransom, choosing instead to rebuild systems from backups, a process that stretched over days while guests experienced disruptions ranging from long check-in lines to canceled reservations.
The MGM attack was widely attributed to a threat cluster known as Scattered Spider, a loosely organized group of young, English-speaking hackers who used social engineering to trick a help-desk employee into resetting credentials. That single phone call gave attackers a foothold that cascaded into property-wide outages across one of the world’s largest hospitality companies.
Ascension: when ransomware reaches the bedside
In May 2024, Ascension, one of the largest nonprofit health systems in the United States with roughly 140 hospitals, confirmed a cybersecurity event that forced sweeping operational changes. According to reporting by the Associated Press, the health system diverted ambulances from several emergency departments, postponed non-urgent medical tests, and cut off clinicians’ access to electronic health records. Nurses and doctors reverted to paper charting, a process that slows care and increases the risk of medication errors.
Ascension brought in Mandiant, Google’s incident-response arm, to investigate and began coordinating with federal authorities. The health system did not publicly confirm whether the attack involved ransomware, but the U.S. Department of Health and Human Services later identified the incident as a ransomware attack linked to the Black Basta group, a prolific operation that has targeted healthcare organizations across North America and Europe. The operational symptoms, including locked electronic records, diverted ambulances, and delayed lab results, matched the playbook security researchers had tracked across dozens of Black Basta intrusions.
The Ascension breach came just months after the Change Healthcare attack in February 2024, which disrupted insurance claims processing for pharmacies and hospitals nationwide and affected an estimated one in three Americans’ health data. Together, these incidents underscored a grim reality: healthcare’s dependence on interconnected digital systems has made it one of the most consequential targets for ransomware operators, and the people who suffer most are patients.
Why attackers can hit multiple sectors at once
A joint advisory published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and European partners including the Netherlands’ NCSC-NL offers the clearest public explanation of how ransomware groups pull off rapid, cross-sector campaigns. Advisory AA24-109A, focused on the Akira ransomware group, details how operators scan the internet for organizations running VPN appliances with known vulnerabilities or weak multi-factor authentication configurations.
The key insight is that the attackers are not choosing targets by industry. They are choosing targets by vulnerability. A hospital running an unpatched Cisco VPN gateway looks identical to a law firm or an auto parts supplier running the same device with the same flaw. Automated scanning tools can identify thousands of exposed systems in hours, and once inside, attackers move laterally through networks, exfiltrate sensitive data, and deploy encryption payloads, often completing the entire cycle in under 48 hours.
This explains the pattern that has alarmed cybersecurity officials: clusters of victims across unrelated sectors appearing in short windows. It is not necessarily coordination in the traditional sense. It is efficiency. A single crew working through a list of compromised credentials can lock out a hospital on Monday, a convention center on Tuesday, and a manufacturer on Wednesday without changing tactics or tools.
By mid-2025, CISA and the FBI had issued updated guidance reflecting lessons from the MGM, Ascension, and Change Healthcare incidents, urging organizations to treat VPN and remote-access hardening as an emergency priority rather than a routine maintenance item.
What the public record does and does not show
The documented cases paint a clear picture of ransomware’s capacity to disrupt multiple industries in quick succession. MGM’s SEC filings provide legally binding, audited evidence of nine-figure losses. The Ascension incident, corroborated by AP reporting and federal agency statements, demonstrates that healthcare systems face life-safety consequences when ransomware hits. The CISA advisory on Akira explains the technical mechanics that make cross-sector campaigns possible.
What the public record does not yet contain is a single confirmed incident in which one ransomware group simultaneously locked out a dozen organizations spanning hospitals, law firms, a Las Vegas convention center, and an auto supplier on the same calendar day. The individual pieces of that scenario are well-documented: each of those sectors has been hit, the attack methods are shared, and the timelines of known campaigns show bursts of activity across industries. But no joint forensic report, law enforcement announcement, or coordinated victim disclosure has tied all of those elements together into one verified event.
That distinction matters. Ransomware’s real-world impact is severe enough without embellishment. The pattern of rapid, multi-sector attacks is genuine and accelerating. But responsible reporting requires separating what is confirmed from what is plausible, and right now, the most dramatic version of this story sits in the plausible category.
What organizations and ordinary people can do now
For security teams, the CISA advisory reads like a checklist with the urgency turned up. Audit every VPN appliance and remote-access gateway. Enforce phishing-resistant multi-factor authentication, not just SMS codes. Patch the specific CVEs listed in the advisory before attackers find them. Disable remote-access services that are not actively in use. Segment networks so that a breach in one department does not cascade into a property-wide or system-wide outage. Rehearse incident-response plans with tabletop exercises that simulate ransomware scenarios, including the decision of whether to pay.
The cost of these measures is a fraction of what MGM disclosed in its SEC filing. Even organizations that never face a ransom demand can rack up enormous expenses from downtime, forensic investigations, legal notifications, regulatory fines, and reputational damage. For healthcare providers, the stakes include patient safety and potential violations of federal health-privacy law.
For patients, hotel guests, and employees who find themselves caught in the fallout, the most useful thing to understand is that these disruptions are not random glitches. They are the downstream consequences of attacks on shared digital infrastructure. When a hospital’s electronic records go dark, it is not because a server crashed. It is because someone exploited a known vulnerability that could have been patched. When a casino’s slot machines freeze, it is not a software bug. It is a calculated act of extortion.
That understanding shifts the conversation from technical jargon to public accountability. Every organization that handles sensitive data or operates critical systems owes its customers, patients, and employees a baseline of cybersecurity investment. The ransomware crews scanning for the next unpatched VPN are not slowing down. The question is whether the organizations on the other side of that scan are moving fast enough to close the door before it opens.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
