REvil Ransomware affiliates have been ramping up their threats to sell stolen data from law firms, Trump, celebrities, and now a food distributor and a 3D printer manufacturer. Learn more about the threats and how others have handled their responses to the attacks.
What is Sodinokibi or REvil Ransomware?
Since its arrival in April 2019, it has become very clear that the new kid in town, “Sodinokibi” or “REvil” is a serious threat. The name Sodinokibi was discovered in the hash ccfde149220e87e97198c23fb8115d5a where ‘Sodinokibi.exe’ was mentioned as the internal file name; it is also known by the name of REvil.
At first, Sodinokibi ransomware was observed propagating itself by exploiting a vulnerability in Oracle’s WebLogic server. However, similar to some other ransomware families, Sodinokibi is what we call a Ransomware-as-a-Service (RaaS), where a group of people maintains the code and another group, known as affiliates, spread the ransomware.
The ransomware appends a random extension to encrypted files and reports double the price of the ransom if not paid on time. The malware is actively being distributed in the wild through Managed Service Providers, taking advantage of server flaws, spam campaigns, and exploit kits.
History of Attacking Celebrities
You may have heard of REvil Ransomware because of a recent breach on media and entertainment lawyers Grubman Shire Meiselas & Sacks. They recently confirmed reports that their firm has fallen victim to a ransomware attack.
Several A-list celebrities that are clients of the law firm have potentially had data leaked on the dark web. Madonna’s tour contract was allegedly leaked.
A screenshot of a legal document from Madonna’s recent Madame X tour surfaced on the dark web, apparently bearing signatures from an employee and tour company Live Nation.
Another screenshot depicts dozens of computer files bearing the names of celebrities including Bruce Springsteen, Bette Midler, and Barbra Streisand.
Stars such as Robert De Niro, Madonna, Drake, Nicki Minaj, Mariah Carey, Elton John, U2, and Rod Stewart are among those whose personal information may have been compromised.
The attackers have doubled the ransom request to $42 million and threatened to release damaging information on President Trump.
Although Trump reportedly has never been a client of Grubman Shire Meiselas & Sacks, the New York Post Page Six noted, that the hackers posted a message online saying that the ransom had been doubled and that “The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry…” Read more on SCMagazine.
Latest News on REvil – Targeting Food Distributors and Manufacturers
A major food company, Harvest Food Distributors, and its parent company, Sherwood Food Distributors have recently been the targets of REvil affiliates.
The threat actors posted a notice about their new target around 3 pm MST 5/15.
This notice contained a link to download a portion of Sherwood’s proprietary files as “previews” which they plan on releasing one at a time (8 in total). The first link to leaked information contains roughly 2,300 files. These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including that of Kroger, Albertsons, Sprouts – scanned drivers’ license images for drivers in their distribution networks, etc. The threat actors also posted a conversation they had with Coveware, a leading ransomware mitigation company, dating back to at least May 3rd.
According to HackRead:
Both of these have various supermarket chains as their clients including but not limited to three large ones, namely Kroger, Albertsons, and Sprouts. Hence, at stake is not only the data of the food distributors themselves but also their client chains.
For this, the attackers have demanded a sum of $7.5 million, lesser than their most recent heist on Grubman but a substantial sum nonetheless.
The data exposed is believed to include 2300 files composed of the following:
- Cash flow analysis details
- Sub-distributor information
- Detailed insurance information
- Scanned images of the drivers’ licenses they use as a part of their logistical network.
DarkOwl reports that FARO Technologies, a leading 3D printing/manufacturing Co. – is revealed to be the latest victim of REvil hackers’ ransomware attacks. Read more from DarkOwl.
Download our REvil Ransomware Advisory
Created in partnership with Cyberint, download our REvil Ransomware Advisory and you’ll learn:
- Background of the REvil Ransomware
- Information on the Dark Web Stolen Data Repository
- Potential Data Exposure
- Risk and Potential Damage from REvil
- Recommendations from Cyberint and Cybriant