The cyber crooks behind the notorious REvil ransomware have begun auctioning off stolen data to the highest bidder, according to an auction page which surfaced earlier this month over the dark web.
The REvil ransomware gang’s new stolen data auction hints not only at the group’s changing tactics—aimed at bending victims to cough up large sums of money while threatening to publicly shame those who do not—but also at the ways in which the economic impact of COVID-19 may come to have an affect the world of cybersecurity.
Stolen data goes up for auction
The criminals behind REvil ransomware (sometimes referred to as ‘Sodinokibi’ or ‘Sodin’) announced their first—and so far only—stolen data auction over a dark web auction site called ‘Happy Blog’ in early June.
There, the criminals sought to sell off stolen data belonging to Canadian agricultural company Agromart Group, which had firmly declined to pay ransom after they suffered a REvil ransomware attack last month.
Reportedly on the table for auction are three databases containing more than 22,000 PDF, DOCX, and XLSX files, according to early reports by KrebsonSecurity and Ars Technica. A minimum deposit of $5,000 in Monero cryptocurrency is being demanded at a starting price of $50,000, with the so-called blitz price being as much as twice that amount.
REvil ransomware takes advantage of COVID-19 turmoil
As Brian Krebs aluded to in his original report on the topic, not only does the REvil ransomware gang’s new stolen data auction signal changing tactics, but it also signals that those responsible are “searching for new ways to profit from their crimes” as many corporate targets battle to keep afloat in the wake of the economic devastation brought about by the COVID-19 pandemic.
The REvil ransomware criminals, reportedly from Eastern Europe, gained global notoriety last month after carrying out a series of high-profile data breaches which involved a large number of prolific figures, including such celebrities as Madonna and Lady Gaga, through its attack against law firm Grubman Shire Meiselas Sack—even going so far as to involve US President Donald Trump.
Krebs’s view on the group’s motives is partly shared by Ilia Kolochenko, founder and CEO of internet security company ImmuniWeb. According to him, the pandemic has spurred an increase in oftentimes unsophisticated attackers targeting companies in order to make ends meet amid an unemployment surge.
“Sadly the coronavirus pandemic has pushed many beginners in the IT field to become cybercriminals amid unemployment and lack of finding a well-paid job in their field,” said Kolochenko. “Thus, we will likely see a surge of fake extortion campaigns ventured by the newbies and aimed to strip organizations out of cash in a simple and swift manner.”
While the cybercriminals behind REvil ransomware are likely to be highly sophisticated attackers, the same trend likely holds true in their case nonetheless. As other cybersecurity experts point out, the fact that stolen data is being auctioned off in the first place indicates the dire straits in which many companies find themselves financially.
“The problem is a lot of victim companies just don’t have the money [to pay ransom demands] right now,” Lawrence Abrams, editor of the cybersecurity publisher BleepingComputer told KrebsonSecurity. “Others have gotten the message about the need for good backups, and probably don’t need to pay. But maybe if the victim is seeing their data being actively bid on, they may be more inclined to pay the ransom.”
Emerging trends in ransomware protection
According to cybersecurity professionals, the REvil ransomware gang’s new tactic of trying to action off stolen data suggests a number of noteworthy developments. One such trend, according to Kolochenko, is a rise of “fake threats”, in which cybercriminals put up a bluff by pretending to possess data that they, in fact, do not. “Many organizations, whose business largely depends on its reputation, are well prepared to pay a fortune to avoid negative publicity,” Kolochenko pointed out to this end.
“Another relatively new but rapidly growing scenario is exaggeration of nature or value of data stolen and encrypted by a ransomware,” he added, pointing out that because corporate data which is often “chaotically dispersed” across an organization’s computers and servers, IT leaders end up having limited visibility of their attack surface, and unable to verify whether or not the data was in fact breached in the first place.
“Once a machine is hacked and encrypted, victims may well believe that attackers will find a backup of their database, critical source code or other important trade secrets,” Kolochenko went on. “However, prior to paying a ransom, you should carefully investigate, analyze and assess the situation to avoid falling victim to manipulative fraudsters.”