The operators of the REvil ransomware have launched a new auction site used to sell victim’s stolen data to the highest bidder. REvil, otherwise known as Sodinokibi, is a ransomware operation that breaches corporate networks using exposed remote desktop services, spam, exploits, and hacked Managed Service Providers. Once established on a network, they quietly spread laterally through the company while stealing unencrypted data from workstations and exposed servers.
It’s the age old – How to monetize from the breach problem. If you are using ransomware, the one paying is the information owner, it is relatively straight forward and does not require an understanding of the local language, of the industry targeted or the information obtained. The other option, targeting specific information, identifying it, exfiltrating it, and finding a private buyer, is tedious, hard to pull off, and expensive. This approach, exfiltrating sets of data and auctioning the data off, is in parts a novel approach trying to manage the problem of identifying a buyer or fully qualifying the value of information.
REvil ransomware is the same strain that was used when the A-list law firm Grubman Shire Meiselas & Sacks was breached last month. The fact that this cybercriminal gang has set up a site to auction exfiltrated data just proves how valuable information in today’s digital society is. From personal information (in this instance Madonna and other celebrities) to corporate data, such as a US food distributor, information in all forms has significant resale value on the dark web. Unfortunately, once private information leaves corporate perimeters after a data breach, there is very little that can be done. Instead, organisations must take proactive steps to secure their systems before data can be breached and ensure regularly that the steps are meeting compliance regulations, like GDPR. It will be some time before the law firm Grubman Shire Meiselas & Sacks can build back their reputation. This just proves how important it is to have adequate cybersecurity hygiene.
Cyber criminals have clearly been financially affected by the pandemic as many groups have changed their income generation tactics in recent months. Whether it is due to a lack of ransoms being paid, or whether finally the message has got through about backing up data correctly, these cyber criminals gangs are changing tact to generate more cash where they can.
They now seem to attempt more extortion where possible, or in this case auctioning off the information. Bidders could be anyone from physical stalkers and burglars to other interested parties so it makes it very difficult to profile the buyers, let alone stop the sale.
To stop this from happening, companies not only have to tighten their security defences, but also increase encryption on their own data so if it were to be stolen, at least it would be unrecognisable.
As employees continue to work remotely, companies run the risk of exposing their corporate networks in a variety of new ways. It\’s important that businesses educate their employees on safe remote working practices in the same way they established secure work environments in the office. Stopping the spread of ransomware as soon as it is detected is also critical. If someone on the team suspects they may have been hacked, they should disconnect from the network immediately and inform the rest of the company to curb the spread.
Ransomware brings organizations to a stop causing havok. Organizations can pro-actively defend against Ransomeware by having crisis management in place that practice scenarios involving Ransomware. Key learnings come from crisis management table top exercises including business continuity gaps. That this particular ransomware uses an auction system will only make it profitable, and therefore more popular. The best defence against ransomware is a robust Business Continuity Plan which includes regular backups, version control and thorough testing of disaster recovery procedures. Companies that leverage cloud-based storage and automatic synching from end point devices will be well-placed to recover from such attacks, but should practice the recovery procedure to minimize downtime if an attack does occur.