Pierluigi Paganini June 03, 2020

REvil /Sodinokibi ransomware operators launch an auction site to sell data stolen from victims that have chosen to not pay the ransom.

Sodinokibi ransomware operators are very active in this period, a few days after the gang has leaked the files allegedly stolen from the UK power grid middleman Elexon it has announced to launch an auction site to sell data stolen from victims that have chosen to not pay the ransom.

The Sodinokibi ransomware operators have launched an eBay-like auction site for stolen data where they plan to sell data stolen from the victims.

Recently Sodinokibi ransomware group claimed to have stolen gigabytes of legal documents from the entertainment and law firm Grubman Shire Meiselas & Sacks (GSMLaw) that has dozens of international stars and celebrities among its clients.

The list of clients of the law firm includes famous artists like Chris Brown, Madonna, Lady Gaga, Nicki Minaj, Elton John, Timbaland, Robert de Niro, Usher, U2, and Timbaland.

Now the hackers plan to auction Madonna’s legal documents in a future auction.

The Sodinokibi ransomware operators use exploits to compromise the target’s network and infect the largest number of computers as possible.

In May 2019, threat actors were observed exploiting recently patched critical Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware to organizations. In June 2019, the ransomware hit several managed service providers, while in August the same malware infected the company behind DDS Safe solution used by hundreds of dental offices and at least 23 Texas local governments as the result of a coordinated effort.

The Sodinokibi gang also operates a leak site on the dark web where they share samples of stolen files to threatens the victims.

Now the group implemented the new “auction” feature, a first auction is for documents stolen from a Canadian agricultural company that was hacked in May and that refused to pay the ransom.

The starting offer for the auction is $50,000 that could be paid using the Monero cryptocurrency.

The gang also threatened to hold an auction for Madonna’s private legal documents stolen from Grubman Shire Meiselas & Sacks (GSMLaw)

The REvil gang published the message “remember Madonna and other people,” suggesting that the files of the music star will be available for auction very soon.

Sodinokibi isn’t the unique ransomware gang that is threatening to publish data of the victims to force to pay the ransom, other gangs are DopplePaymer, Maze, Nefilim, Nemty, RagnarLocker, and NetWalker.

Pierluigi Paganini

(SecurityAffairs – ransomware, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]