REvil Cyber Crime Group Strikes Celebrity Law Firm – Makes Off with a Slew of Private Information

The REvil cybercrime group carried out such a brazen attack that the American government branded them as terrorists. The notorious hackers targeted a New York-based law firm – Grubman Shire Meiselas & Sacks. That, in of itself, is not anything worthy of the terrorist brand. However, what makes this cyber attack stand out is the targeted firm's client list and the obscene ransom request.

The REvil group infected the N.Y. firm with ransomware, encrypted its systems, and stole a staggering amount of private data from an impressive client list. The attackers deleted or encrypted all their backups. Thus, leaving them no option, but compliance. The only apparent way for the law firm to regain control of its data is to pay the ransom, get a unique decryption key, and unlock the locked files.

An Impressive Client List

The New York law firm bolstered an impressive roster of clients. Among the names, you find Lady Gaga, LeBron James, Mariah Carey, Mike Tyson, Elton John, Colin Kaepernick, Nicki Minaj, Sloane Stephens, Bruce Springsteen, Madonna, Robert De Niro, Lizzo, Sofia Vergara. And, that merely scratches the surface.

Fig.1
REvil posted a screenshot of files titled with the names of the company's clients. Source: Dailymail.co.uk

The cyber attackers also claimed that Donald Trump, the U.S. President, was among the firm's clients and that they now have 'dirt' on him. However, that claim has been disproven.

That minor detail did not stop the cybercriminals from continuing their charade and threatening to expose sensitive information on Trump.

The attackers threatened to release all the data they stole unless they got paid an obscene amount of money in ransom. With the stakes that high, naturally, the FBI got involved. The bureau got the case and announced that "negotiating with or paying ransom to terrorists is a violation of federal criminal law."

REvil Getting the Attention of the FBI

As soon as the group's representatives found out about their new terrorist branding, they got quite upset. To get slapped with the word 'terrorist' is not what they expected, and it prompted a quick response from the cyber attackers. They turned to the dark web and posted a lengthy rant regarding the matter. Part of their statement included, "Mr. Lawyer says that Donald has never been their client. And he says that we are bluffing. Oh well. The first part, with the most harmless information, we will post here." The post finished with links to 169 emails, which supposedly were a small part of the 'dirty laundry' they claimed to have on the U.S. President.

Furthermore, the hackers continued to update interested parties via their dark web posts. In one recent such post, they claimed that "Interested people contacted us and agreed to buy all the data about the U.S. President, which we have accumulated over the entire time of our activity." They carried on to say how "very pleased with the deal" they were but did not share specifics. That led many to believe it was all one big ruse, which experts then confirmed as fact.

What gave further credence to the hoax theory was the fact that the 169 emails the hackers shared as 'proof' of the dirt they have on Trump, were at the very least, found wanting. The emails appeared to contain nothing that can get classified as 'dirt.' Moreover, it looked like someone browsed through archives by searching the word 'trump' and then shared everything that contained that specific word. That included 'trump' getting used as a verb and messages referring to Trump in the third-person. According to experts, the data dump had little to nothing that could relate to the President at all. The pretense that they did, merely got used as leverage for the ransom to get paid.

A Ransom Request That Reaches for the Stars

The REvil hackers didn't put a limit on their greed. The ransom they requested amounts to $42 million to get paid in Bitcoin, or £34.6 million, and that's no small amount.

Initially, the cyber extortionists gave the law firm a week to pay them half of that – $21 million in ransom, but the firm counter-argued the offer. They agreed to transfer a mere fraction of the requested amount – only $365,000. Since their demand didn't get met, the crooks doubled it. If it were to get paid, it would become the biggest ever ransom given to cyber attackers.

The REvil attackers tend to issue their statements on the dark web. They use forums there to clue everyone in on their threats, thoughts, and actions. The crooks stole contracts, non-disclosure agreements (NDAs), email addresses, phone numbers, personal correspondence, music rights, and so on, from the New York law firm. It's on one such forum that the cybercriminals offered proof of their hack, by leaking private files on it.

To presumably pressure the law firm to pay up, the attackers released some of the stolen data on the dark web. They shared images of "a contract for Madonna's 2019-20 'Madame X' tour with Live Nation," on a dark web forum. Also, they posted 2.4GB of data containing legal documents of Lady Gaga – concert contracts, T.V. appearances, and merchandising.

Fig.2
Part of Madonna's recent Madame X tour contract, REvil stole via the hack. Source: dailymail.co.uk

After those leaks came the threat that the President is next on the list.

"The next person we'll be publishing is Donald Trump. There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president. Well, let's leave out the details. The deadline is one week."

As already stated, experts found the claim that Donald Trump was a client of the firm to be false. It's still important to note that even if the cyber attackers may not have actual dirt on Donald Trump, they do have a lot of sensitive, private information on a slew of celebrities.

Experts suggest that the only way for the criminals to turn a profit is to auction off what they managed to steal. And, they have already begun doing so. They announced that on May 25, they would auction the data relating to Madonna – a confirmed client of the hacked law firm. The starting price would be a million dollars.

There's no telling how much money the cybercrooks can make off the data they stole. After their hack, experts alleged that REvil made off with 756 GB of data.

A Little More About REvil

The notorious hacker group REvil, allegedly derives from Eastern Europe. If the name rings a bell, it's because there's infamous ransomware by the same name, which has been plaguing web users for a while. REvil, also known as Sodinokibi, is a formidable ransomware threat, discovered on April 17, 2019.

The infection usually gets distributed via backdoored software installers, scan-and-exploit techniques, RDP servers, and exploit kits.

As soon as the ransomware slithers into your system, its programming activates. The malware encrypts everything.

To prevent potential resource conflicts that would get in the way of the ransomware to wipe or encrypt files, REvil terminates blacklisted processes. It also deletes shadow copies, ensuring that its targeted system cannot restore what got locked and deleted by turning to its backup. To top it all off, it disables recovery mode, too.

After encryption finishes, it leaves you a ransom note. You can find it on your Desktop and in every folder that contains encrypted files. It tends to be a 'txt' file called 'HOW-TO-DECRYPT.txt.' Below, you can see an example of a REvil ransom note.

Fig.3
A REvil ransom note. Source: Secureworks

You need not look any further than on your Desktop, to realize you're in trouble. Not only because REvil leaves you the ransom note there, but also because it changes your Desktop wallpaper. To clue you into your ordeal, it gives you a new image. It's nothing fancy, but quite the opposite. You can see an example below.

Fig.4
Example of a desktop background after encryption. Source: Secureworks

The ransom note contains instructions on what the cyber attackers expect you to do. They want you to go to a unique URL if you're to decrypt your data. If you open it, that URL takes you to an attacker-controlled site, which shows you a ransom payment key and extension form. The extortionists expect you to provide the key and extension name, which you can find in your ransom note.

Fig.5
Ransom payment key and extension form. Source: Secureworks

After you do that (enter your unique information), they tell you the exact ransom amount they want you to pay. It's almost always exclusively in Bitcoin. Below you can find an example of a payment request and instructions to follow.

Fig.6
Instructions and ransom payment details. Source: Secureworks

The data kidnappers promise that if you do all they ask of you, you'll manage to regain control of your data. Supposedly, after payment, they send you a decryption key, which unlocks everything they had locked. In an attempt to earn your trust, they offer to decrypt three of your files for free and give you a choice between 'png,' 'jpg,' and 'gif' files.

Fig.7
Trial decryption offer. Source: Secureworks

Heed experts' advice and do NOT fall for these lies. Remember, you are dealing with cybercriminals. People who infiltrated your system then corrupted it. You cannot trust a word they say. Don't fall into the web of lies they spin, and follow their instructions. Don't pay the ransom! Don't waste your energy and money dealing with these people. It's not worth your time.

May 28, 2020

Leave a Reply