Ransomware group opens dark web auction house to sell stolen data

News by Davey Winder

The REvil ransomware group has added a self-hosted online auction feature to its dark web presence. It uses stolen data as leverage when it comes to demanding the ransom is paid,

Another month, another step in the evolution of the ransomware threat. On June 1, the REvil ransomware group added a self-hosted online auction feature to its dark web presence.

The REvil threat actors, who go by the name of Sodinokibi, are one of the most successful ransomware groups of recent years. As well as being the criminals behind the Travelex attack on New Year's Eve 2019, for which a ransom of more than £1.8 million in Bitcoin was reportedly paid, REvil hit the headlines again in May 2020 when it attacked a New York law firm with celebrity clients.

Always evolving, by the time of the attack on the Grubman, Shire, Meiselas and Sacks law firm, REvil had started to not only encrypt data to lock down systems but exfiltrate that data before doing so. The stolen data can then be used as leverage when it comes to demanding the ransom is paid, as was the case here. Legal documents relating to Madonna and Lady Gaga were published as proof of both possession and intent. 

When the demanded ransom of US$ 21 million (£16.75 million) wasn't forthcoming, REvil raised the stakes and the ransom: unless US$ 42 million (£33.5 million) was paid, then "a ton of dirty laundry" in the form of documents relating to President Trump would be published. This turned out to be something of a hollow threat as it happens, after declaring the threat actors cyber terrorists and denying payment once more, REvil published169 emails supposedly relating to Trump which turned out to be more damp squib than smoking gun.

REvil very quickly then claimed these were the least damaging documents, and that the remainder had been sold to an interested party. This "relatively new but rapidly growing scenario of the exaggeration of nature or value of data stolen and encrypted by ransomware," Ilia Kolochenko, CEO at ImmuniWeb, said, plays on the fact that many enterprises have limited visibility of their attack surface. "Once a machine is hacked and encrypted, victims may well believe that attackers will find a backup of their database, critical source code or other important trade secrets," he concluded. 

Having likely realised their bluff had been called over the Trump threats, REvil then said it would be auctioning off data relating to celebrity clients, starting with Madonna. Which brings us to the present and the establishment of the REvil dark web auction site. The "first lot" to be auctioned, the site declares, contains "accounting documents, and accounts, plus a lot of important information that may be of value to competitors" relating to the Agromart Group of Canadian agriculture companies. That announcement ends with a reminder that "we remember the Madonna and other people."

REvil is just one of the cybercrime groups that are changing the ransomware narrative, so does this mean that enterprises need to change their defensive narrative in response? "Ransomware attacks have morphed from encryption-only events to full-out data breaches," Brett Callow, a threat analyst at Emsisoft, told SC Media UK, "they no longer represent a risk only to the target company, but also to its customers and business partners as their data is inevitably exposed."

When it comes to the REvil auction development, Callow says that it ramps up the pressure on future victims as "companies are likely to be more concerned about the prospect of their data being publicly auctioned than they are about it simply being posted on a little-known dark web leak site." Of course, it's highly likely that while REvil is the first to take this route, they will not be the last.

"In the past, it was often said that backups were the best protection against ransomware, but that’s no longer the case," Callow continues, "while backups are certainly critically important, they cannot help recover stolen data." Which is why it's more important than ever for the enterprise to place an emphasis on prevention: "systems should be promptly patched, MFA used everywhere it can be used, PowerShell disabled when not needed and admin rights limited," Callow says.

They should assume that their perimeters will be breached and monitor their environments for signs of compromise; earlier detection and neutralisation can stop an attack before data is either exfiltrated or encrypted. "Too often, ransomware attacks succeed because basic security best practices were not followed," Callow concludes, "and that needs to change."

Javvad Malik, a security awareness advocate at KnowBe4, agrees that it is "essential that organisations invest in security controls to prevent the initial infection," and warns that simply being able to detect an infection may not be enough. "The prevention controls include not only technical measures, but also ensuring external-facing systems are patched appropriately," Malik said, "and that users are provided with up to date and effective security awareness and training so they can identify phishing emails through which many attacks start."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews