UPDATED 22:58 EDT / JUNE 03 2020

SECURITY

REvil hacking group starts auctioning data stolen in ransomware attacks

The prolific hacking group REvil has started auctioning off sensitive data stolen from companies in its various ransomware attacks.

The group, also known as Sodinokibi, is auctioning the stolen data through a dark web site dubbed the “Happy Blog” that offers eBaylike auctions. The first cache of stolen data offered for auction is from Canadian agricultural company The Agromart Group. Example data from the hack posted by the group includes scanned copies of the company’s financial accounts, personal net worth documents, customer information and credit applications.

REvil claims it was planning to auction information relating to singer Madonna next. That information was stolen in a hack of celebrity law firm Grubman Shire Meiselas & Sacks in March. The law firm represents celebrities including Lady Gaga, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige. REvil claimed that the had stolen data relating to U.S. President Donald Trump, but the law firm denied that the president was a client.

Other recent REvil ransomware attacks include Travelex Dec. 31, CyrusOne Inc. Dec. 4 and hundreds of dentists in August.

REvil has made its exploits public in the past in an attempt to blackmail companies for payment. Notably Travelex is reported to have paid the group $2.3 million, but the move into auctions is a new step for the group. Auctioning stolen data may be just another tactic REvil is using to force victims to pay a ransom, but it may be a case where ransomware groups are struggling to obtain payments during the COVID-19-induced economic crisis.

Lawrence Abrams from Bleeping Computer told Krebs on Security that “the problem is a lot of victim companies just don’t have the money [to pay ransom demands] right now… others have gotten the message about the need for good backups, and probably don’t need to pay but maybe if the victim is seeing their data being actively bid on, they may be more inclined to pay the ransom.”

Josh Smith, security analyst at cybersecurity firm Nuspire LLC, agreed with Abrams, telling SiliconANGLE that “as companies feel the economic burdens of COVID-19 and world events, more may not be paying out, or refusing to payout from the advice of their security teams and this may be a way for REvil operators to recoup costs of operations.”

“This is one of the reasons why the attackers likely made this eBay like auction site, to let demand determine the price,” Smith explained. “On top of that, even if the victim organization can restore backups, there is still risk around a public data dump. This appears to be the next evolution of public dumping; even if they have no bites but publicly post it, it could still catch on.”

Photo: U.S. Air Force

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU