In just the past week, for starters, reports have emerged of a collaboration between the Maze and LockBit gangs, as well as the REvil – aka Sodinokibi – operators not leaking stolen data for free when victims don’t pay, but instead auctioning it off to the highest bidder.
REvil in recent days has begun data auctions for two more alleged victims: Fraser Wheeler & Courtney LLP, based in Lake Charles, Louisiana; and Vierra Magen Marcus LLP, in Daly City, California. Neither law firm immediately responded to a request for comment.
The listing appeared June 6 through REvil’s official blog on the darknet, where bidders look to acquire 50GB of data from Fraser Wheeler & Courtney LLP and 1.2TB of data from the database of Vierra Magen Marcus LLP.
Auctioned information includes client information, internal documentation of the company, electronic correspondence, patent agreements, business plans, and projects, as well as new technologies that have yet to be patented.
The IP-related law firm is one of the victims
The Vierra Magen Marcus LLP law firm specializes in intellectual and scholar property law. REvil ransomware gang claims that the company’s clients include more than 650 technology companies and individuals, with clients such as Asus, Toshiba, Seagate, Nissan, LG, Silicon Valley startups, and “more big companies.”
Attackers declared that the starting price for the bidding listing of Fraser Wheeler & Courtney LLP is $30,000 to be paid Bitcoin (BTC) in less than a week or the group threatens to leak and publicize the data. They even set up a countdown displayed as of press time.
What are the motivations behind auction?
“While ransomware groups have likely sold and traded data in the past, this is the first time that it has actually been sold in an organized auction – but it will probably not be the last time,” Emsisoft threat analyst Brett Callow tells Information Security Media Group.
“Selling the data in this way not only provides the criminals with an additional option for monetization, but it also puts additional pressure on future victims,” he says.
“The prospect of their data being auctioned and sold to competitors or other criminal enterprises is likely to concern companies more than the prospect of it simply being posted on an obscure Tor site.”
Callow cautions that ransomware has morphed into a multi-billion dollar industry in which tactics are becoming ever more extreme and the amounts demanded ever higher. He noted, “They’re fast becoming apex predators.”
The threat analyst said the following about what companies must do to contain ransomware attacks:
“The only way to reverse this trend is to cut off the flow of cash, and that means companies must stop paying ransoms. If this does not happen, attacks will continue and become ever more sophisticated and hard to defend against.”
To sum up – Another innovation that’s come to light in recent days is not leaking data, but instead auctioning it for sale to the highest bidder. This might be a response to those who were guiding the victims to not pay the wanted ransom by attackers.
Gangs showed us they can always surprise us with another way!
REvil: also known as Sodinokibi or Sodin, is a ransomware operation that breaches the company’s networks using spam, exploits, exposed remote desktop services, and hacks managed service providers (MSPs). The gang primarily focuses on big firms and avoids targeting consumers.