The prolific hacking group REvil has started auctioning off sensitive data stolen from companies in its various ransomware attacks.

The group, also known as Sodinokibi, is auctioning the stolen data through a dark web site dubbed the “Happy Blog” that offers eBaylike auctions. The first cache of stolen data offered for auction is from Canadian agricultural company The Agromart Group. Example data from the hack posted by the group includes scanned copies of the company’s financial accounts, personal net worth documents, customer information and credit applications.

REvil claims it was planning to auction information relating to singer Madonna next. That information was stolen in a hack of celebrity law firm Grubman Shire Meiselas & Sacks in March. The law firm represents celebrities including Lady Gaga, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige. REvil claimed that the had stolen data relating to U.S. President Donald Trump, but the law firm denied that the president was a client.

Other recent REvil ransomware attacks include Travelex Dec. 31, CyrusOne Inc. Dec. 4 and hundreds of dentists in August.

REvil has made its exploits public in the past in an attempt to blackmail companies for payment. Notably Travelex is reported to have paid the group $2.3 million, but the move into auctions is a new step for the group. Auctioning stolen data may be just another tactic REvil is using to force victims to pay a ransom, but it may be a case where ransomware groups are struggling to obtain payments during the COVID-19-induced economic crisis.

Lawrence Abrams from Bleeping Computer told Krebs on Security that “the problem is a lot of victim companies just don’t have the money [to pay ransom demands] right now… others have gotten the message about the need for good backups, and probably don’t need to pay but maybe if the victim is seeing their data being actively bid on, they may be more inclined to pay the ransom.”

Josh Smith, security analyst at cybersecurity firm Nuspire LLC, agreed with Abrams, telling SiliconANGLE that “as companies feel the economic burdens of COVID-19 and world events, more may not be paying out, or refusing to payout from the advice of their security teams and this may be a way for REvil operators to recoup costs of operations.”

“This is one of the reasons why the attackers likely made this eBay like auction site, to let demand determine the price,” Smith explained. “On top of that, even if the victim organization can restore backups, there is still risk around a public data dump. This appears to be the next evolution of public dumping; even if they have no bites but publicly post it, it could still catch on.”

Photo: U.S. Air Force