REvil operators, or better known as Sodinokibi operators, recently carried out a cyberattack on New York-based law firm Grubman Shire Meiselas & Sacks. In the attack, the cybercriminals claimed to have stolen nearly 756 GB data of several high-profile celebrities like Lady Gaga, Elton John, Robert DeNiro, and Madonna. After publishing the legal information related to Lady Gaga, the Sodinokibi operators have now threatened to hold an online auction of pop sensation Maddona’s stolen data, on May 25, 2020, at a reserve price of $1 million. Grubman Shire Meiselas & Sacks is a premier entertainment and media law firm handling the legal profiles of Hollywood A-listers. However, the firm was a target of Sodinokibi ransomware attack, which compromised confidential data including contracts, personal messages, email addresses, phone numbers, and other private and sensitive information of its clients.
The Sodinokibi operators are demanding a ransom of $42million. The cybercriminals threatened to release this highly confidential data in parts if the firm did not pay heed to their demands. In fact, as proof of withholding this information, they published the legal data of Lady Gaga online, which was immediately blocked and taken down.
A Glance at the Sodinokibi Ransomware
In a recent article by David Balaban, he explained the emergence, spread, and worry related to Sodinokibi ransomware. In late April 2019, researchers from CISCO Talos came across a strain of ransomware that raided a web server. The entry point was a remote code execution vulnerability in Oracle WebLogic Server software discovered about a week earlier. The analysts dubbed this infection Sodinokibi. Back then, it seemed that the predatory program was just another ransom Trojan resembling hundreds of others. However, Sodinokibi operators proved this impression wrong a few months later.
The Sodinokibi ransomware lineage is dominating the extortion landscape. It has made dozens of high-profile victims, including healthcare facilities and local governments. Furthermore, its distributors’ toolkit has expanded way beyond leveraging unpatched software flaws to gain a foothold in computer networks. It follows a Ransomware-as-a-Service (RaaS) model and the ransoms raked in by the crooks reportedly reach hundreds of thousands of dollars per compromised organization.
Ransom Payments Up 33% in Q1 2020; Sodinokibi and Ryuk Top the List
Owing to the higher penetration and success rate, the average enterprise ransom payments increased by 33% ($111,605) in Q1 of 2020 from Q4 of 2019, according to the Coveware Ransomware Marketplace Research report. It was found that Sodinokibi (used in 26.7% of attacks), Ryuk (19.6%), and Phobos and Dharma (7.8%) were the top three most used ransomware variants in Q1 of 2020.