Published on the 01/07/2020 | Written by Jonathan Cotton
Business, politicians, and celebrities are finding their dirty laundry auctioned off online…
The ransomware gang known as REvil (aka Sodin, aka Sodinokibi) has been running amok in recent months, targeting organisations in Australia, New Zealand, and around the world with threats to auction stolen data to the highest bidder if its demands are not met.
It’s just one of many that are hitting local businesses and, according to one local cybersecurity provider, increasingly impacting larger enterprises.
Lion Breweries was hit early in June. The attack shut down the Japanese-owned drink company’s IT systems – crippling its production capabilities – while investigators were brought in to sort out the mess.
Lists of documents belonging to the company soon appeared online, with the ransomers demanding almost AU$1.17 million for their safe return, to be paid in open-source cryptocurrency Monero.
“While other ransomware groups publish data – or sell it privately in some cases – REvil puts it under the hammer.”
Lion has not paid the ransom, and while the company is now back to brewing, packaging and distributing beer at its breweries across Australia and New Zealand, the worst of it might be yet to come.
“We do still expect to see some further disruptions as we continue to restore systems,” says Lion. “We will continue to work with our team of experts to complete this work as quickly as possible, minimising any further disruptions, including to supply.
“It remains a real possibility that data held on our systems may be disclosed in the future.”
Lion is not the only victim. Melbourne-based Chem Pack has also been targeted, along with an unnamed US food distributor and others. A Canadian agricultural company has had 22,000 of its files auctioned online after refusing REvil’s demands. The gang also says it sold Donald Trump’s ‘dirty laundry’ to an anonymous buyer.
Another high profile target is US entertainment law firm Grubman Shire Meiselas & Sacks, which represents the likes of Elton John, Lady Gaga, Lizzo and Madonna.
With 756 gigabytes stolen, the hackers are now seeking buyers, even going so far as to issue multiple press releases teasing the hackers victims, saying files related to sexual scandals with top politicians, ‘drugs and treachery’, and ‘bribery of celebrities’ by political parties. According to the hackers, the auction of the Grubman files will run for three months and if a buyer isn’t found the data will be leaked.
Upping the ante, the group has now added auction functionality to its underground website, so that interested parties can bid on stolen data anonymously.
“REvil’s tactics are unique in that the group publicly auctions data should the company from which it was stolen not meet their demands,” says Brett Callow, threat analyst with New Zealand-based antivirus company Emsisoft.
“While other ransomware groups publish data – or, perhaps, sell it privately in some cases – REvil actually puts it under the hammer.
“The group’s primary intention in doing this may not be the monetisation of the data, but applying additional pressure. Companies may be more concerned at the prospect of their information being sold to competitors or other cybercriminals than it simply being posted on an obscure Tor site.
“Should this tactic prove successful, it’s likely that other groups will also adopt the strategy.”
REvil’s willingness to escalate might be due to desperation, with the Covid-19 pandemic making ransomware victims unable, or at least increasingly unwilling, to pony up the dough for would-be extortionists.
Such attacks have increased significantly in recent years, although numbers have been relatively stable over the last few months.
“We are, however, observing an increase in the number of attacks on enterprise-scale corporations as well as a steady increase in the average amount demanded,” says Callow.
While ransomware costs to the global economy are estimated to top US$10 billion, the prosecution rate for cybercrime is only about 0.05 percent, meaning criminals operate with near impunity.
But what about just paying the ransom? The University of California recently parted with more than US$1m to regain access to data after its School of Medicine was compromised in a Netwalker ransomware campaign.
When does the expediency trump principle?
“Opinions as to whether ransoms should be paid differ,” says Callow. “My personal opinion is that they should not.
“Every time a ransom is paid, the criminals are further incentivised and handed additional resources to invest in ramping up their operations. The only way to stop ransomware attacks is to make them unprofitable, and that means companies must stop paying ransoms. Short term pain, long term gain.
“Addressing the problem requires action to both interrupt the revenue stream and close the enforcement gap. Until that happens, companies will continue to be attacked.”