The cyber criminal gang holding a New York celebrity law firm’s data to ransom for $42m have said they will hold an online auction of data relating to pop star Madonna on 25 May 2020 and set a $1m reserve price on the information.
The Sodinokibi, or ReVIL, group cracked the systems of Grubman, Shire, Meiselas and Sacks, which specialises in famous clients, last week, stealing data on Madonna and other music industry celebrities. It has already published a quantity of information relating to Lady Gaga, although this was swiftly removed from the internet.
Over the weekend of 16 and 17 May 2020, the gang again turned the screws on its victim, posting a lengthy screed in which it acknowledged that Grubman had been advised by law enforcement not to negotiate or pay, but that this made no difference.
The gangsters also referenced statements made by the firm in which it said it had received the support and backing of the affected clients, but questioned whether that would continue if their data was published.
In the statement, a copy of which has been seen by Computer Weekly, the group went on to threaten to auction off client data every week until it is paid off.
“This data will be bought either by the stars themselves, or various media and blackmail them then, or simply kind people with good intentions. We do not care. The main thing is we will get the money,” the gang wrote.
“Accordingly, after this, people will begin to have problems. And, oh yes, they will know who to blame for this. And who put their safety and reputation in exchange for money.”
The gangsters also indulged in some showboating, saying that “these idiots” – presumably US law enforcement – would not be able to crack their cryptography, and that they would “have fun watching with popcorn”.
In a second statement published to its blog, the group set out its conditions for the proposed 25 May auction. It said the transaction would be confidential and that it would delete its copy of the data, giving whoever buys the right to do with it as they see fit.
The Sodinokibi gang had also threatened to release data relating to US president Donald Trump, which raised eyebrows as Trump was never a client of the firm. However, as of 18 May, this threat has apparently been withdrawn.
In the second statement, the cyber criminals said: “Interested people contacted us and agreed to buy all the data about the US president, which we have accumulated over the entire time of our activity. We are pleased with the deal and keep our word.”
Emsisoft threat analyst Brett Callow said he suspected the group had no dirt on Trump, or at least nothing substantial.
“Claiming that the data was privately sold solves the problem of them needing to produce information they did not actually possess. That said, the group has exfiltrated data from numerous corporate networks so, if there were ‘dirty laundry’ out there, it’s possible they may have found it. What, if any, information they actually had is something that may never be known,” he said.
“Doubling down and leveraging Donald Trump’s brand value is perfect. No downside for the hackers, no upside for the victims, and all grist for the media mill, because someone fell for a phishing email”
Colin Bastable, Lucy Security
“It is, however, likely that they do have information relating to Madonna and, as the firm has stated it cannot legally pay the ransom demand, selling that data is the only way for them to monetise the attack. Consequently, I suspect that the auction will indeed take place.”
Colin Bastable, CEO of Lucy Security, warned that the gang’s assessment that Grubman would see its wellspring of support run dry if much more information is published was accurate.
“That client support will turn to overwhelming ‘lawfare’ if the celebrities feel pain. If people need a lesson on how hackers fuse psychology, marketing and ‘impending event’ sales closing, this is a perfect case study in the black art of hackstortion.
“Doubling down and leveraging Donald Trump’s brand value is perfect. No downside for the hackers, no upside for the victims, and all grist for the media mill, because someone fell for a phishing email,” he said.
“This is a classic case study in why hackers are always at an advantage – they leverage human behaviour, psychology, marketing and sales techniques, as well as current affairs, to create an environment that is conducive to their goals. There is little risk, if any to them. For the victims, it is lose-lose.”
Bastable speculated that Grubman likely also suffered from a common problem that arises time and time again – that of senior people within an organisational structure believing they are far too important to sit through security awareness training, coupled with an internal culture of deference to authority that means this attitude is rarely called out.
Read more about ransomware
Follow these best practices to properly prepare for ransomware and phishing attacks, as well as further steps to stay secure in the face of a pandemic or widespread health event.
The increase in recent attacks makes clear the need for a ransomware incident response plan. Here’s how to limit the effect of such attacks, as well as what to do if infected.
