The REvil ransomware group claims to have buyers ready for documents containing damaging information about US President Donald Trump and is preparing to auction data on international celebrity Madonna.
The hackers breached the network of Grubman Shire Meiselas & Sacks (GSMLaw), a law firm representing a huge number of A-list celebrities, stealing everything they considered of value before encrypting the data.
Data leak escalation
After unfruitful negotiations with the law firm, REvil, published an archive “with the most harmless information” on Donald Trump, a collection of more than 160 emails.
They also said that there would be an auction every week with customer data and they don’t care who buys it as long as they get paid:
In an announcement today, the hackers said that they have been contacted by individuals interested to “buy all the data about the US president” and that they are content with the proposal.
They also promise to delete their copy of the data, making the buyer the only one who has it. There are no hints about who made the offer or what they’re planning to do with it.
BleepingComputer was told by numerous sources who have reviewed the leaked data that it was harmless and did not contain anything damaging to President Trump.
This alleged sale by the ransomware operators may be them trying to save face after threatening to ruin Trump’s reputation but not having any real data that could hurt him.
To continue their threats against GSMLaw, REvil stated that they plan on auctioning files related to Madonna that they stole from the firm. The start price is $1 million and the same rules apply as before:
REvil, also known as Sodin and Sodinokibi, established its reputation as a professional criminal actor that is strictly financially motivated. The group set up a highly profitable ransomware-as-a-business (RaaS) operation that relies on affiliates that have been in the game for a long time. They are the successors of GandCrab and operate more aggressively.
How REvil got here
While waiting to reach a payment agreement with GSMLaw, REvil published on their site proof that they had a lot of data about VIPs in the entertainment and media business.
The ransom for decrypting the files, initially set at $21 million, was not paid and the hackers threatened to publish what they had pilfered from the New York-based law firm for celebrities.
After 10 days of unfruitful negotiations, the hackers doubled the ransom demand and threatened to publish 756GB of data (contracts, telephones, emails, personal correspondence, NDAs) in 10 rounds.
They kept their word and released the first batch on Lady Gaga – 2.4GB of documents, and announced that “the next person we’ll be publishing is Donald Trump.”
Cyber terrorists and criminals
GSMLaw did not hold back in its declarations to the hackers. In a statement to Page Six, the law firm called REvil “foreign cyberterrorists” then said:
Replying to a request for comments from BleepingComputer, the FBI stated the following:
“Unless the FBI determines the Ransomware was deployed by a designated terrorist organization or nation state, the FBI treats Ransomware investigations as criminal matters.”
While the agency does not encourage paying a ransom to a criminal actor and advises companies against this, the federal agency also recognizes the damage a ransomware attack can do to a business.
Executives may be forced to consider the possibility of paying a ransomware actor to protect shareholders, customers, and employees. In any case, it is strongly recommended to to report such an incident to their local FBI field office.
“The FBI encourages victims to not pay a hacker’s extortion demands. The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes. Furthermore, paying a ransom does not guarantee the victim will regain access to their data. The best approach is to focus on defense in depth and have several layers of security as there is no single method to prevent compromise or exploitation,” the FBI told BleepingComputer.
Sometimes, cybersecurity companies tracking ransomware activity may be able to help with file decryption. Not all cybercriminals are top developers and some mistakes in the malware code can be exploited to unlock the files without paying the ransom.