Fraud Management & Cybercrime , Governance & Risk Management , Privacy

REvil Ransomware Gang Auctioning Off Stolen Data

First Batch of Hacked Data Posted; More Auctions Threatened
REvil Ransomware Gang Auctioning Off Stolen Data

The REvil ransomware gang has created a darknet auction site for stolen data, according to the security firm Emsisoft.

See Also: OnDemand | Defining a Detection & Response Strategy

The auction site, which REvil - also known as Sodinokibi - announced earlier this week, is offering data that the gang claims was taken from Canadian agricultural company Agromart Group. The REvil gang is threatening to offer more data for sale to the highest bidder in the coming weeks.

In an announcement about the auction posted to its darknet portal and shared with Information Security Media Group by Emsisoft, REvil appears to offer for sale documents and other details covering Agromart Group’s last three months of operations.

REvil auction site announcement (Source: Emsisoft)

Security firm Cyble says it examined the Agromart Group data posted by REvil to the auction site and found it contained scanned copies of the company’s financial accounts, personal net worth documents, aging report of documents of their users, company’s credit application and agreement form.

The opening price for the company's data is listed at $50,000, and it can be paid in the monero digital currency ZDNet reports.

A spokesperson for the Agromart Group did not immediately reply to a request for comment.

Strong-Arm Tactics

The addition of an auction site is the latest development in how ransomware gangs are leaking data to force more victims to pay a ransom, says Brett Callow, a threat analyst at Emsisoft.

"While ransomware groups have likely sold and traded data in the past, this is the first time that it has actually been sold in an organized auction - but it will probably not be the last time," Callow tells Information Security Media Group.

In 2019, the Maze ransomware gang posted teasers of stolen information to its website in an effort to compel the victims to pay. Other gangs, including REvil, DoppelPaymer, MegaCortex, Nemty, Nefilim, CLOP, Sekhmet and Snatch, quickly followed suit, using dedicated leak sites to make their threats public (see: Crypto-Lock and Tell: Ransomware Gangs Double Down on Leaks).

Now that REvil has created a dedicated auction site for others to bid on stolen data, Callow says other ransomware operators are likely to follow.

"Selling the data in this way not only provides the criminals with an additional option for monetization, it also puts additional pressure on future victims," Callow says. "The prospect of their data being auctioned and sold to competitors or other criminal enterprises is likely to concern companies more than the prospect of it simply being posted on an obscure Tor site."

In addition to data from the Canadian company, REvil is threating to auction off data related to an attack against the New York law firm Grubman Shire Meiselas and Sacks, which represents celebrities, including Lady Gaga, Madonna, Mariah Carey, U2, Bruce Springsteen and Mary J. Blige (see: Hacked Law Firm May Have Had Unpatched Pulse Secure VPN).

After the gang claimed negotiation with the firm fell through, REvil posted a batch of Lady's Gaga's legal documents and other data on the darknet. Now it claims that it will add Madonna's legal data to its new auction list, according to the Emsisoft.

Representatives of Grubman Shire Meiselas and Sacks have told Rolling Stone and other publications that the firm will not pay a ransom to the REvil gang and that it’s cooperating with the FBI and other law enforcement during the investigation.

No Signs of Slowing

REvil has claimed responsibility for a number of ransomware attacks on many major organizations over the last several years. Earlier this year, the gang extorted a ransom of $2.3 million from a London-based foreign currency exchange Travelex after attacking the company on New Year's Eve and holding the company's data hostage for weeks, according to the Wall Street Journal (see: Travelex Paid $2.3 Million to Ransomware Gang: Report).

According to an April report by ransomware incident response firm Coveware, REvil was the most common type of ransomware tied to successful attacks among the firm’s clients in the first quarter of 2020 (see: Ransomware: Average Business Payout Surges to $111,605).

Managing Editor Scott Ferguson contributed to this report.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.