The cyber criminal gang behind the ReVIL or Sodinokibi ransomware attack on New York celebrity law firm Grubman, Shire, Meiselas and Sacks (GSMS) have doubled their ransom demand to $42m and threatened to publish compromising information on US president Donald Trump, according to reports.
In a statement seen by entertainment news website Page Six, the Sodinokibi group – which has also gone by the name Gold Southfield – said they had found “a ton of dirty laundry” on Trump.
The threat reportedly reads: “Mr Trump, if you want to stay president, poke a sharp stick at the guys [GSMS], otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. The deadline is one week.”
However, according to Page Six, which cited sources close to the firm’s boss, Allen Grubman, it is unclear quite how the hackers have linked the firm to Trump, who, it is understood, has never been a client of the company.
The systems of GSMS, which boasts a glittering client list including names such as Madonna and Rod Stewart, were attacked and encrypted earlier this week. Initially, the cyber criminals demanded $21m, and published legal contracts relating to a recent Madonna tour as proof that they were serious. The increased ransom demand is notable for its sheer size, dwarfing the $2.3m thought to have been paid by Travelex to the same group earlier in 2020.
Emsisoft threat analyst Brett Callow, who has been tracking the GSMS hack, told Computer Weekly that the ransomware gang had now started to publish more of the firm’s data, which totals hundreds of gigabytes of highly sensitive material.
“They uploaded 2.4GB of data supposedly relating to Lady Gaga to a file-sharing service and posted the sharing link on their Tor site,” Callow said in emailed comments. “The data was, however, removed by the file-sharing service because, I assume, the law firm immediately filed a takedown request.”
Callow noted that the criminals would have expected the data to be removed rapidly, and that their priority at this point was to apply more pressure to their victim, rather than to leak information.
GSMS, meanwhile, has confirmed that the group has doubled its ransom demand, and said it was working around the clock to deal with the crisis, with the assistance of cyber security forensics experts and the FBI.
“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyber terrorists, who make their living attempting to extort high-profile US companies, government entities, entertainers, politicians and others,” the firm said.
“We have been informed by the experts and the FBI that negotiating with, or paying ransom to, terrorists is a violation of federal criminal law. Even when enormous ransoms have been paid, the criminals often leak the documents anyway.”
Read more about ransomware
- Follow these best practices to properly prepare for ransomware and phishing attacks, as well as further steps to stay secure in the face of a pandemic or widespread health event.
- Stronger network security could be the key to preventing a ransomware infection. Follow these five steps to protect your network from ransomware.
- With Travelex’s IT still in disarray and banks and travellers left without access to funds more than a week after it was hit by a ransomware attack, we ask what others can learn from the firm’s experience.
GSMS said it had received overwhelming support from its clients, who recognised that nobody is immune from cyber criminals.
The firm is understood to be refusing to engage with the cyber criminals or enter into any negotiations with them, which Hugo van den Toorn, manager of offensive security at Outpost24, agreed was an entirely correct stance to adopt.
“Paying ransom does not guarantee that the attackers will not do anything with the data,” he said. “As a matter of fact, the worst has already happened – the company’s reputation has been impacted. Paying and dealing with the threat actors might therefore be the absolute last resort.
“Depending on the scale, investigating the matter, informing customers in full and making sure it does not ever happen again, so starting from scratch, might be the best way forward here.”