Crooks behind REvil ransomware found an extra income source – stolen data auction
REvil[1] ransomware, a.k.a. Sodinokibi, managers keep inventing the ways of getting rich even if the victims refuse to pay the ransom. Researchers[2] revealed a new section called Happy Blog Auction (new) in the gang-operated leak site on the dark web in early June.
It turned out that this section is a newly launched data auction, which is already offering volunteers to place bets for the leaked credentials for the celebrity law firm Grubman Shire Meiselas & Sacks (GSMLaw)[3], U.S. President Donald Trump, Madonna, Canadian agricultural company, and others.
REvil auction is available for the registered users only and the registration is required for each auction separately. Each bidder has to pay a deposit of 10% of the starting price as proof that he or she is a solvent buyer. The deposit is supposedly refunded as soon as the auction finishes if the other bidder wins. However, if the bidder wins, but fails to pay the rest of the stakes, the deposit leaves for REvil gang.
The gang accepts the payments in Monero (MXC)[4] cryptocurrency only. Although earlier victims of the REvil ransomware virus have been urged to pay Bitcoins for ransom payments, they switched the currency preferences in April last year due to a more appropriate privacy and anonymity policies.
Grubman Shire Meiselas & Sacks celebrity clients’ data have already been exposed publicly on the leak site
Before launching the Happy Blog Auction, crooks behind the infamous REvil ransomware as a business exposed some data entries on Lady Gaga, one of the GSMLaw clients. The company refused to pay $42M bribe and expressed doubts about the reality of the REvil ransomware attack.
As a response, criminals uploaded the 2.4GB of data, though most of the entries were useless from the hackers’ viewpoint since the data revealed nothing about the celebrity except official documents, collaborators, producers, expense sheets, and similar information.
However, it seems that the idea to launch an eBay or Ubid-like auction was born when criminals started receiving the request to sell Trump’s “dirty laundry.”
There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever.
The bids on Trump-related data was the first one on the leak site with an initial price of $1,000,000. Crooks then released a report claiming that this data has been sold to an unknown buyer. However, no one really knows if that’s true because Trump’s delegates claim[5] that the President has never been the client of the GSMLaw neither as a businessman, individual, or the President.
Currently, REvil ransomware operators selling the stolen data of the U.S. food distributor (Blitz price of $200,000) and a Canadian agricultural company ($100,00 for not, though keeps rising).
REvil – the biggest headache of the corporate
REvil is a relatively newborn ransomware virus as it emerged in the market less than a year ago and has already managed to initiate a bunch of targeted attacks. However, the main difference between this encryption-based ransomware is that it never targets individual home users.
The group of extortionists is arranging their attacks in a comprehensive manner. Typically, criminals exploit zero-day vulnerabilities like CVE-2019-2725 or CVE-2018-8453, which allow criminals to infiltrate into the corporate servers using exploits and initiate ransomware attacks manually. Therefore, all attacks are well-considered and planned.
REvil ransomware is also known for both encrypting files on servers and leaking credentials en masses by connecting to the C2 server of the operators. In the case of the GSMLaw hack, the managers of the corporate servers did not spot any traces of the breach since the data hasn’t been locked. Having this in mind, cybersecurity experts raise red flags to raise the consciousness of the business server managers.