A mysterious ransomware gang known as ‘REvil’ has been wreaking havoc online in recent days following a high profile ransomware attack targeting New York-based entertainment and media law firm Grubman Shire Meiselas & Sacks earlier this month.
The security incident saw the law firm, which boasts A-list celebrity clients such as Lady Gaga and Madonna, suffer a major ransomware attack which seized more than 750 gigabytes worth of personal information, according to findings revealed by cybersecurity researchers at Emisoft.
“We can confirm that we’ve been victimized by a cyberattack,” the firm acknowledged in a May 11 press statement provided to the entertainment magazine Variety. “We have notified our clients and our staff. We have hired the world’s experts who specialize in this area, and we are working around the clock to address these matters.”
Later reports have revealed that the hackers, who used a family of malware known as Sodinokibi to launch their ransomware attack, are now threatening to leak the stolen data to the public after having posted evidence of the deed on a dark web forum. The information reportedly includes phone numbers, email addresses, personal correspondences and contracts, as well as non-disclosure agreements made with advertising and modeling firms.
The information stolen by the REvil’s ransomware attack is likely to concern a bevy of celebrities, the most prolific of whom include Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Christina Aguilera, Mariah Carey and Mary J Blige.
A further trail of destruction followed on the ransomware attack when REvil, reportedly based in Eastern Europe, announced that they would be doubling their ransom amount to $42 million after shifting their focus to a seemingly unrelated target; U.S. President Donald Trump.
“The next person we’ll be publishing is Donald Trump,” the group declared in a dark web post. “There’s an election going on, and we found a ton of dirty laundry.”
From Grubman, to Trump, to Madonna
After the initial ransomware attack on May 11, the group began their slew of demands by calling for $21 million worth of Bitcoin in exchange for the stolen information relating to Grubman Shire Meiselas & Sacks’s celebrity clients.
According to a report which first surfaced in Page Six, this was followed on May 14 when REvil revised their demand steeply upward, doubling their ransom price in exchange for information that they allegedly held about the US president.
“Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. The deadline is one week,” the group’s statement read.
The group made no mention of how the information they claim to have about the U.S. president had come into their hands. Donald Trump has had no relations with Grubman, according to sources who spoke to Page Six; neither in a corporate nor in a political capacity.
The most recent development came on May 19, when the ransomware group, seemingly bent on monetizing their crime, announced their intention to auction off stolen data relating to the singer Madonna on May 25, with bids set to begin at $1 million, according to a report by Infosecurity.
Grubman ransomware attack and the broad implications of breaches
According to Mark Turnage, CEO of cybersecurity firm DarkOwl, the implications of the REvil ransomware attack—as well as other attacks of a similar kind—have the potential to be far reaching indeed.
“Criminals could use the information from Lady Gaga to glean insight on her inner circle, i.e. the security details she uses abroad, etc, as well as her vendors and producers,” he explained. “Not only could the PII and financial information be exploited, but she could be at a higher risk for future tours and international travel. The Trump emails pose political damage from the media coverage.”
Turnage’s view is shared by Brett Callow, a threat analyst at Emsisoft. According to him, a ransomware attack of the kind that struck Grubman provides a good illustration of the extent to which multiple, unrelated parties can be affected by a single security breach incident.
“Ransomware incidents are now effectively data breaches and no longer simply affect the target company, but also its customers and business partners,” Callow explained. “The exposure of their information may result in impersonation, identity theft, spear phishing attacks, BEC scams or other forms of fraud.”
“Additionally, it’s also possible that the criminals will contact the people whose data has been exposed directly and attempt to extort money,” he added.
While the outcome remains still to be seen, the security incident nonetheless serves to make clear the extent to which cybercriminality can hold a pervasive sway over even the world’s most prolific figures.