Sault Tribe Refuses to Pay Ransomware Attackers as Kewadin Casinos Reopen

Posted on: March 5, 2025, 05:17h. 

Last updated on: March 6, 2025, 10:10h.

Philip Conneller @casinoorgphilc Read More
Expertise: Gaming Business, Regulation, Tribal Gaming.
  • The Sault Tribe’s five Kewadin casinos are now open after ransomware attack
  • The tribe refused to pay hackers for stolen private data
  • Customers who think they might be affected are urged to take precautions

Michigan’s Sault Ste. Marie Tribe of Chippewa Indians have confirmed they refused to pay a ransom to hackers who attacked their Kewadin casino operations and won’t pay to recover confidential data stolen by the cybercriminals.

Sault Ste. Marie Tribe of Chippewa Indians, Kewadin Casinos, cyberattack, ransomware, Austin Lowes
Sault Tribe Chair Austin Lowes, above, speaking at Lake Superior State University in 2023. Lowes refused to give in to the cyberattackers’ demands, despite the mayhem caused to tribal services. (Image: Lake Superior State University)

The Sault Tribe battled for over two weeks to regain control of its systems after the February 9 attack disrupted gaming operations at its five Upper Peninsula casinos, and other tribal services for over two weeks.

The casinos began reopening in stages last Wednesday, February 26, and all five resumed normal services as of noon on Wednesday, March 5. Despite the mayhem, which included disruption to government offices, health clinics, and other businesses, the tribe refused to give in to the hackers.

‘No Point Paying’

“Leadership worked with law enforcement groups, external cyberexperts, and others to evaluate whether or not to pay that ransom,” the tribe’s chairman Austin Lowes explained on Facebook. “After much deliberation, we have determined there is no point in paying their ransom demand.”

Lowes said his IT team worked closely with external cybersecurity experts to combat the threat. The tribe was eventually able to regain control of the systems and recover almost all of its data.

“There was no guarantee we would have received what was promised. We could have paid their ransom and still had our data shared on the dark web,” Lowes added.

You Don’t Write, You Don’t Call

In a bizarre twist, at the height of the crisis, the hackers wrote a letter to the local tribal newspaper, The Sault Tribe Guardian, to complain about the lack of response from tribal leadership.

The criminals claimed to have stolen 100 gigabytes of confidential data but had received no communication, despite sending “detailed instructions via phone voicemails, corporate and personal emails, and internal network messages.”

The hackers added that “the financial situation of the tribe is sufficient to cover the expenses associated with this cyberattack.”

“To be clear, we had no intention of harming the Tribe – our motives are purely financial,” they explained.

What is RansomHub?

DataBreaches.net reported that RansomHub, a global hacker group, has claimed responsibility via a post on the Dark Web. The group was one of the most active ransomware operators in 2024, with around 500 victims reported.

RansomHub uses the so-called “double-extortion model,” which involves extorting victims by encrypting systems and stealing data, then demanding payment.

We’ve begun the process of reviewing that stolen information so we can reach out to those who have been impacted and provide free credit monitoring services,” Lowes said. “This review will take time, though, since our team must manually review hundreds of thousands of documents to determine what information may have been stolen and who that information belongs to.”

In the meantime, he urged those who believe they might be affected to take steps to protect themselves by asking their credit card providers to monitor for suspicious behavior, changing their passwords, and contacting credit reporting agencies to inform them of the attack.