Site icon Sophos News

Celebrity personal data taken in ransomware attack

Today’s big ransomware story is a star-studded affair, according to entertainment news website Variety.com.
Variety says that the law firm Grubman Shire Meiselas & Sacks, or just gsmlaw.com for short, has experienced a ransomware attack that apparently involved the appropriately named REvil malware.
Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, too – allegedly more than 750GB in total including contracts, contact information and “personal correspondence”.
The gsmlaw.com website is as good as offline right now [2020-05-11T14:15Z], with just a logo on display and the main menu of the website commented out entirely (the green text below denotes HTML comments):

HTML extracted from gsmlaw.com main web page at 2020-05-11T14:15Z.
Green text denotes HTML code that has been commented out.

Variety’s headline drops the names Lady Gaga, Madonna, Bruce Springsteen as customers who were affected, but the article itself lists many more:

Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC. Facebook also is on the hackers’ hit list.

REVil, also known as Sodin or Sodinokibi, isn’t just operating on the old-school ransomware model of “scramble your files and offer to sell you back the decryption key”.
The latest trend in ransomware attacks is to use a double-barrelled weapon that gives victims two reasons to pay up.
The original criminal plot behind ransomware was that if you didn’t have reliable backups that you could restore quickly, then you might have little choice but to pay up to decrypt all your scrambled files and get your business moving again.
Indeed, by breaking into your network first and taking time to prepare an attack that scrambles most or all of a your computers at the same time, cybercriminals aim to cause the most significant disruption that they can.
That has led to some eye-watering ransom amounts, with demands over $1,000,000 very common these days.


In recent months, however, the crooks have doubled down on their leverage.
Before scrambling all your files as a way of grabbing your attention, the crooks quietly upload huge troves of so-called “trophy data” that they use to blackmail anyone who is hesitant to pay up.
In other words, the financial extortion is no longer just a “kidnap ransom” to get your files back, but also a blackmail demand to stop the crooks leaking your data – or, worse still, your customers’ data – to the world.
The modus operandi seems to be to leak what you might call a proof-of-concept sample first, as a way of convincing the victim that the data really did get exfiltrated…
…and then let more and more go as part of the “bargaining” process to persuade the victim into negotiating.
Indeed, the REvil crew has already followed through on its threats to embarrass victims who don’t pay
Less star-studded but no less worrying is a simulataneous report that global mailing equipment company Pitney Bowes has experienced an attack by the Maze ransomware.
Maze is another cybercrime gang that goes in for huge ransoms and threatens to expose stolen data, infamously demanding about $6,000,000 last year from cable and wire manufacturer Southwire.
Southwire hit back by filing a so-called John Doe (the name used in the USA where defendants haven’t yet been identified) civil lawsuit against the as-yet-uknown unknown criminals behind Maze.

What to do?

Given that ransomware crooks are no longer just keeping you away from your data but also threatening to put the rest of the world in touch with it, prevention is very much better than cure.
Our tops tips are:


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Exit mobile version