REvil Ransomware Group Auctions Stolen Data
June 4, 2020 Share

REvil Ransomware Group Auctions Stolen Data

A prolific ransomware group has begun auctioning data stolen from victim organizations that refuse to pay up, marking an escalation in its monetization efforts.

The gang behind the REvil (aka Sodinokibi) variant this week took to its dark web blog to announce the first auction, related to a Canadian agricultural company it compromised which has declined to pay a ransom.

The group claimed the three-database trove contains accounting documents and other “important information” which may be of use to competitors. A starting price of $50,000 was set for the 22,000+ files.

REvil has threatened to auction stolen data before: when it claimed to have stolen 756GB of data from New York-based celebrity law firm Grubman Shire Meiselas & Sack.

On that occasion the promised auction of data relating to client Madonna never materialized, although there are signs it may yet happen, with a starting price of $1 million.

However, it’s unclear how much of this is classic cybercrime bluster. A previous post claimed the group had “a ton of dirty laundry” on Donald Trump, even though reports suggested he was never a client of the law firm. It conveniently later claimed that a private bidder had bought all the info on the US President, so it would not be releasing the trove.

REvil’s latest auction tactics can be viewed either as sign of its insatiable greed, or of a group struggling to extort as much money from victims during the pandemic.

According to Group-IB, it is one of the top three “greediest ransomware families with highest pay-off.”

The group is noted for targeting managed service providers (MSPs) to access customer documents, as well as local governments in the US. It uses quasi-APT tactics such as exploitation of VPN system vulnerabilities to gain a foothold in systems, Mimikatz to steal credentials, and PsExec to perform lateral movement and reconnaissance.

This post REvil Ransomware Group Auctions Stolen Data originally appeared on InfoSecurity Magazine.

Read More