REvil Ransomware operators to auction stolen data from US law firms

REvil Ransomware operators to auction stolen data from US law firms

By Harshini Nag - min read
Ransomware skull

The ransomware group has targeted sensitive data of law firms from the past six months

The operators of the REvil Ransomware group have managed to wreak havoc by stealing the data of two US-based law firms. REvil has set up an auction on the dark web where buyers can bid to access the stolen data. According to media reports, more than seven cases of ransomware attacks on law firms have occurred in the past six months.

Most of these attacks are being traced back to the REvil gang — also known as Sodin and Sodinokibi — which is a ransomware-as-a-service (RaaS) operation. The ransomware operation breaches corporate network using spam, remote desktop services and exploits. Then, it quietly spreads laterally through the company stealing unencrypted data from exposed servers.

Once access to the domain controller is achieved, the operators deploy the ransomware to encrypt all the computers on the network. The operators then demand ransom, usually in Bitcoin or another cryptocurrency. The REvil operators also have a data leak site used to publish sensitive stolen information if the ransom isn’t paid. They have also begun to auction the stolen data on the site to the highest bidder.

On June 6, 50GB of data from Fraser Wheeler & Courtney LLP and 1.2TB of data from the database of Vierra Magen Marcus LLP appeared on REvil’s official blog on the darknet. The data being auctioned includes sensitive information such as client information, internal documentation of the company, patent agreements, business plans and projects with new technologies that have yet to be patented

Vierra Magen Marcus LLP specialises in intellectual property law. The company’s clients include more than 650 individuals and businesses, such as Toshiba, Seagate and Nissan. The starting price for auctioning the data of Fraser Wheeler & Courtney is $30,000, to be paid in Bitcoin. The operators threaten to go public if the ransom is not paid in less than a week.

Brett Callow, threat analyst at malware lab Emsisoft told Cointelegraph that the auctioning began after the group failed to extract ransom from Grubman Shire Meiselas & Sacks, the law firm representing Madonna. He believes that auctioning is not only a way to create revenue from the stolen data but it is also a way to “up the ante for future victims.”

“The prospect of data being auctioned and sold to competitors or other criminal enterprises may worry companies far more than it simply being posted on an obscure Tor site and so provide them with an additional incentive to pay the demand,” he added. Cautioning that ransomware had now become a multi-billion-dollar industry, Callow stated that the only way to “reverse this trend is to cut off the flow of cash, and that means companies must stop paying ransoms.”