REvil auctions off celebrities' stolen data by hacking law firm, Grubman Shire Meiselas and Sacks

Hey, guys! I’m back with more interesting news to share with y’all today. 

Normally, attackers would be all hush-hush while exploiting and exfiltrating data from a victim so no one knows what they’re up to. Often than not, we only get to know about an incident, well… after it has become an incident. So, imagine my surprise and shock reading the news about a threat actor who has the audacity to announce to the world that they’re going to expose stolen data if the demanded ransom isn’t paid. 

Pretty sure I caught your attention now. Let’s get into the details!

Grubman Shire Meiselas and Sacks, New York
Grubman is a law firm that represents numerous celebrities. Some of these celebrities include Lady Gaga, Nicki Minaj, LeBron James, Mariah Carey and many more. Earlier this month, they got hacked by the notoriously famous ransomware threat actor, REvil - or otherwise known as, Sodinokibi or Sodin. This ransomware attack was paired with a data breach that resulted in the exposure of Lady Gaga’s legal documents and other data, in the darknet in an auction site for stolen data. 

As you can see, this isn’t a typical ransomware attack we’ve seen so far. Having a secure backup which contains all the data that was stolen isn’t enough because REvil already stole data, to even begin with. In this case, they threatened to post the data online or sell it off to the highest bidder in the darkweb - if their demands weren’t met with.


Figure 1: REvil auction site announcement

Fast forward to what’s happening right now

REvil has promised to conduct auctions that would last for 3 months. What’s the item to be auctioned off, you ask? Stolen data of performers and athletes - starting with Nicki Minaj, Mariah Carey, and LeBron James. For these 3 celebrities, the bids start at $600, 000 on July 1, 2020. 

How do I know this? Take a look at the image below that was pulled by the researcher behind the Twitter account, Ransom Leaks. Ransom Leaks track ransomware gangs’ data-leaking efforts.


Figure 2: REvil's "Happy Blog" data leaks site states auction details

Reading through the grammatically-challenged auction announcement, you’ll find the hackers saying how the data exposure can affect those involved both in a good way and a very bad way. They have documents that will put the celebrities involved in a tight spot with bribery, sexual harassment, drug addictions, treachery and many more. 

Initially, REvil wanted to upload everything in one go but then they changed their mind and decided to split the archive into smaller groups before making them publicly available. REvil promises to remove the chunk of data that’s been sold to the highest bidder of that particular item, from their servers so that that data will not exist anywhere else other than the buyer. They guarantee that by their “name and reputation”. 

The only kill switch to this auction that can prevent the exposure of sensitive data: $42M to get the entire archive of documents in a single sale by a single person.  

Lesson Learned

I think the biggest takeaway in this incident is that a ransomware attack is not a standalone event. It may have been at a point of time but things have changed now. Hackers know secure, clean backups of data mean they don’t get their ransom. To ensure they achieve their ultimate goal (ransom), they’ve incorporated data theft and threaten data exposure because if there’s one thing that makes a man shiver, it’s fear. 

Understanding this simple human psychology, the Maze ransomware gang was the one who first came up with this smart strategy and forced their victims to pay. Very soon, at least a dozen other gangs followed suit, including DoppelPaymer, MegaCortex, Nemty, Snatch and REvil. 

That’s it for the blog today, y’all! Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned. 

Until next time, friends!

Credits: BankInfoSecurity

Add comment