Extortionists Exfiltrating Data Before Crypto-Locking Systems
REvil’s “Happy Blog” data leaks site announces rolling auctions for data stolen from a celebrity law firm. (Source: Emsisoft)
Behold what could be this summer’s biggest data breach: On July 1, the REvil – aka the Sodinokibi or Sodin – gang is promising to kick off three months of auctions for stolen data pertaining to such performers and athletes as Lady Gaga, Nicki Minaj, Mariah Carey and LeBron James. Bids start at $600,000. But before the auction begins, one lucky buyer can purchase “the entire archive of documents” for $42 million.
See Also: Webinar | 2021: A Cybersecurity Odyssey
The legal, contractual and other data was stolen from the law firm Grubman Shire Meiselas and Sacks in New York, which represents numerous celebrities, including Madonna, U2, Bruce Springsteen and Mary J. Blige. “Bribery celebrity’s by Democratical Party, sexual harassment by top politicians, envy of celebrity’s for each other – all of that are waiting for you in files of Grubman company,” REvil’s grammatically mangled sales pitch promises.
“Ransomware incidents very often involve data breaches as well.”
The pitch was posted to REvil’s “Happy Blog” data-leaking site, as the researcher behind the Twitter account Ransom Leaks, which tracks ransomware gangs’ data-leaking efforts, has documented.
#Sodinokibi team is bringing out more of the Gaga Lawyer leaks.
— Ransom Leaks (@ransomleaks) June 24, 2020
Setting aside the question of whether REvil has the goods, one of the biggest takeaways from this incident is that it demonstrates the extent to which many ransomware attacks are not standalone events. Instead, thanks to gangs first exfiltrating data, ransomware incidents very often involve data breaches as well. As a result, depending on local laws, hacked organizations may need to notify individuals that their personally identifiable information was compromised. And under the HIPAA healthcare regulation in the United States, ransomware attacks are reportable breaches if it appears patient data was exposed.
Attackers Know All About GDPR
In Europe, furthermore, under the EU’s General Data Protection Regulation, privacy regulators can investigate victims to ascertain whether they had the right people, processes and procedures devoted to safeguarding PII. If not, the organization could be sanctioned (see: British Airways Faces Record-Setting $230 Million GDPR Fine).
Attackers, of course, know all about this. That’s part of the reason why they’re stealing data; it gives them more opportunities to psychologically compel – as in extort – victims to meet their ransom demands.
In the past, one question I often posed to security experts was: Why don’t more organizations that get hit by ransomware also issue data breach notifications?
The answer I often heard back was: It’s up to a company’s legal team to decide whether data got stolen and triggered breach-notification rules.
But one recurring feature of data breaches is the prevalence of hacked organizations that don’t seem to know what happened or when. Experts say this is often because they lack sufficiently robust intrusion detection and logging tools, meaning attackers may be able to wipe their tracks such that digital forensic investigators may not have much left to work with. Cue a seemingly existential quandary of organizations not reporting what they may have failed to prepare to detect.
Enter Leak Sites
But in November 2019, in what may have been a reaction to more ransomware victims paying less, or refusing to pay at all, the Maze gang began shaking up the rules of the game by stealing data to try to force victims to pay. Before long, at least a dozen other gangs followed suit, including DoppelPaymer, MegaCortex, Nemty, Snatch and REvil (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).
“The introduction of the leak sites means that you can no longer hide behind that,” Raj Samani, chief scientist at McAfee, tells me. “You’ve got regulatory penalties associated with the release of data, which puts that discussion squarely in the hands of – I want to say the insurer, but maybe the chief risk officer would be more accurate.”
Crypto-Lock, Breach and Tell
Here’s how data-exfiltration ransomware gangs’ play works:
- Stage one: Victim gets a ransom note. The amount may be set to increase if they don’t pay – say, doubling in 48 hours.
- Stage two: Attacker posts organization’s name to its data leaks site to try to “name and shame” the organization into paying. The attacker’s promise: “Pay us, and we’ll remove your name and delete stolen data.”
- Stage three: Attacker begins leaking stolen data via its leak site, upping pressure on the victim to pay.
- Stage four: Attacker writes off the victim, dumping all stolen data to attempt to teach a lesson to future victims.
Ransomware incident response firm Coveware says that in the first three months of this year, nearly 9% of all cases it worked on involved ransomware attackers stealing and threatening to leak data.
“The reason that they’re creating leak sites is because the message got across, right? People, I believe, were paying less and less,” McAfee’s Samani recently told me.
Leaks, Now in Auction Format
Showing crooks’ ability to keep innovating, more recently, REvil has added a wrinkle. For victims that choose to not pay, it has begun auctioning its entire cache of stolen data to a single buyer.
REvil has auctioned a number of companies’ data since the Grubman hack, and they probably do have more than the documents relating to Lady Gaga that they already published,” Brett Callow, a threat analyst at Emsisoft, tells me.
“It seems very unlikely that, after penetrating Grubman’s network, they would only have taken data relating to a single celebrity,” he adds. “However, whether the data is as interesting as they say is a completely different matter. Their claims of sex scandals and political skullduggery could well be completely false and made simply in the hope of creating a bidding war.”
Whether such auctions prove to be a money-maker may be entirely secondary to trying to build brand equity – that is, instilling fear among future victims and thus a propensity to more quickly pay up (see: Ransomware Reminder: Paying Ransoms Doesn’t Pay).
For victims, however, it’s a reminder that they’re increasingly having to not just deal with ransomware cleanup, but responding to a serious network intrusion and data breach – and the headaches that also entail (see: Surviving a Breach: 8 Incident Response Essentials).