REvil gang threaten to auction celebrity data from Mariah Carey, Lebron James, MTV and more

What would you do if your law firm to the stars were to be presented with this choice: pay us $42 million or we’ll sell Mariah Carey’s confidential legal documents on the dark web on 1 July?

… followed by a carefully laid out schedule to sell personal correspondence, contracts, agreements, non-disclosure agreements, court conflicts and other internal correspondence relating to other clients, including Nicki Minaj, Lebron James, Bad Boy Records, MTV and Universal?

If you were Allen Grubman, founder of the star-studded law firm Grubman Shire Meiselas & Sacks, you’d tell the ransomware crooks to get lost. Following a ransomware attack from the REvil cybergang that flattened gsmlaw.com in May, Grubman said he wouldn’t negotiate with the hackers, equating them to terrorists.

In the May attack, the gang stole more than 750GB in total. Now, the blackmailers are making good on their threats to publish it.

According to Variety, REvil has threatened to auction off sensitive documents from the firm’s top clients, laying out a schedule that begins on 1 July with documents from Mariah Carey, Nicki Minaj and Lebron James, starting at $600,000 per celebrity. They plan to auction off documents from Bad Boy Records (starting at $750,000) and from MTV and Universal (starting at $1 million each) two days after that. There’ll be more from an unspecified celebrity – or two or three or more of them, who knows – released on 5 July, the REvil gang promised.

If your eyes aren’t already watering at those prices, here’s the gang’s broken-English note, in which the extortionists claim to have plenty more good, salacious, high-value data where that came from:

We have so many value files, and the lucky ones who buy these data will be satisfied for a very long time. Show business is not concerts and love of fans only — also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery.

The ransom note concludes with a message to Grubman, referencing what we presume was an earlier demand for a $42 million ransom:

Mr. Grubman, you have a chance to stop that, and you know what to do.

Here they go again

Sex and drugs and rock-and-roll, indeed. This new threat comes after the gang purportedly sold off data on Donald Trump and Lady Gaga. They also released a legal document that’s allegedly Madonna’s tour contract.

Trump reportedly isn’t a gsmlaw client, but the ransomware gang says the documents come from previous attacks on other businesses that have allegedly reaped correspondence, fundraising letters, and invitations to the president’s Mar-A-Lago resort in Florida.

Before that, the REvil crew followed through on its threats to embarrass victims who don’t pay by publishing over 12GB of data that allegedly belongs to another one of its victims, Brooks International.

Earlier in the year, Travelex was also hit by Sodinokibi/REvil ransomware, sending the currency exchange back to the stone ages of using pen and paper and crippling customer service for weeks: an attack that it reportedly paid $2.3 million in ransom to call off.

When will it stop? Well, how deep is the ocean? According to Variety, gsmlaw has a jaw-dropping list of clients, including music artists, actors and TV personalities, sports stars, and media and entertainment companies, from Bruce Springsteen, Bette Midler, Jessica Simpson and Priyanka Chopra to Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” Run DMC and Facebook – to name just a few.

What we know

We don’t know how much REvil got away with and from which clients, but we do know a bit about the gang.

It operates the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS).

RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.

Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.

“Get lost” redux

Unlike Travelex, gsmlaw isn’t rolling over. Rather, the law firm is yet again telling the REvil gang to go jump in a lake. A spokesman sent a statement describing the gang as pathetic:

The most recent post is yet another desperate nuisance tactic these criminals are using to try to squeeze out a profit from stolen data. Our clients and the entertainment industry as a whole have overwhelmingly applauded the firm’s position that we will not give into extortion.

What to do?

As Paul Ducklin said when he originally analyzed this attack, it’s an example of how ransomware crooks aren’t just scrambling your data these days. They’re also blackmailing victims, threatening to hang their dirty laundry where all can see. Advice for how to save yourself from these attacks is too little, too late for gsmlaw.com and its star-studded clients, but there’s still hope for the rest of us.

Here are our top tips:

  • Patch early, patch often. Crooks who pull off all-your-network-at-once attacks can afford to spend time probing for any existing holes they know about. Make it harder for them by patching known bugs as soon as you can.
  • Check that you don’t have unexpected ways into your network. It’s OK to use technologies such as RDP and SSH for remote administration – just make sure your only remote login portals are where you expect them to be and are set up as you intended, for example within a VPN (virtual private network).
  • Watch your logs. Ransomware crooks who steal masses of data start out by carefully sniffing their way around your network. Very often, they leave telltale signs that someone’s been hanging around where they shouldn’t.
  • Set up an early-warning email address for staff. Crooks often use phishing emails to dig for passwords or data they aren’t supposed to have in order to find their way in. The crooks very rarely send emails to a single person in an organization. One alert staffer who raises the alarm could warn 50 colleagues who might otherwise be in harm’s way.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For more advice, please check out our END OF RANSOMWARE page.

go top