In a strong stance against cybercrime, Michigan’s Sault Ste. Marie Tribe of Chippewa Indians has confirmed its refusal to pay a ransom to hackers who targeted their Kewadin casino operations. The tribe has decided not to pay to recover the confidential data stolen by the cybercriminals.
Kewadin Casinos Reopen
The Sault Tribe’s five Kewadin casinos, which were disrupted for over two weeks following a ransomware attack on February 9, have now reopened. The attack had also affected other tribal services, including government offices and health clinics. The casinos began reopening in stages on February 26, and as of noon on March 12, all five are back to normal operations.
Decision to Not Pay Ransom
“Leadership worked with law enforcement groups, external cyber experts, and others to evaluate whether or not to pay that ransom,” explained the tribe’s chairman, Austin Lowes, on Facebook. “After much deliberation, we have determined there is no point in paying their ransom demand.”
Lowes added that the tribe’s IT team worked closely with external cybersecurity experts to combat the threat and eventually regain control of their systems, recovering almost all of their data. “There was no guarantee we would have received what was promised. We could have paid their ransom and still had our data shared on the dark web,” he stated.
Hackers’ Unusual Communication
In an unusual twist, the hackers wrote a letter to the local tribal newspaper, The Sault Tribe Guardian, expressing frustration over the lack of response from tribal leadership. The cybercriminals claimed to have stolen 100 gigabytes of confidential data and complained about not receiving any communication despite sending “detailed instructions via phone voicemails, corporate and personal emails, and internal network messages.” They emphasized that their motives were purely financial and not intended to harm the tribe.
RansomHub’s Involvement
DataBreaches.net reported that the global hacker group RansomHub claimed responsibility for the attack through a post on the Dark Web. RansomHub, known for using a “double-extortion model,” was one of the most active ransomware operators in 2024, with around 500 victims reported. This model involves extorting victims by encrypting systems and stealing data, then demanding payment.
Steps to Protect Affected Customers
“We’ve begun the process of reviewing that stolen information so we can reach out to those who have been impacted and provide free credit monitoring services,” Lowes said. He acknowledged that the review would take time as the team must manually review hundreds of thousands of documents to determine what information was stolen and who it belongs to.
In the meantime, Lowes urged those who believe they might be affected to take steps to protect themselves by:
- Asking their credit card providers to monitor for suspicious behavior
- Changing their passwords
- Contacting credit reporting agencies to inform them of the attack
This decisive response from the Sault Ste. Marie Tribe of Chippewa Indians serves as a reminder of the importance of cybersecurity and the need to stand firm against cybercriminals.
