Last week, a celebrity New York law firm – Grubman Shire Meiselas and Sacks – whose client list includes Lady Gaga, Madonna, Bruce Springsteen, U2, and Mariah Carey confirmed it has been the victim of a cyberattack. The group behind the attack has now been confirmed as REvil, a prolific threat group that has conducted many attacks on high profile targets, including the foreign exchange company Travelex.
As is typical for the threat group, prior to the deployment of REvil (Sodinokibi) ransomware the group stole a large volume of confidential files from the law firm – reportedly, 756GB of data.
The law firm has not confirmed details of any ransom demand when it confirmed there had been a cyberattack to the news site, Variety¸ but the operators of REvil ransomware claim that the law firm offered to pay a ransom amount of $365,000. That sum was less than 2% of the $21,000,000 demanded by the attackers. As is common in ransomware attacks when the ransom is not paid in full within the allocated time frame, the ransom demand doubled. The REvil gang is now demanding a payment of $42 million threatened to start releasing some of the data stolen in the attack if the law firm refuses to pay.
The group made good on that claim and released a 2.4GB archive that mostly contained data related to Lady Gaga, along with a threat to publish further data including damaging data related to President Trump if no payment was made. The data released so far is mostly harmless and includes information such as contracts for appearances and concerts. Some of the data also mentioned President Trump.
REvil explained that the first release of data consisted of mostly harmless files, but other data stolen in the attack is much more sensitive. They claim that the next data file they release relates to President Trump and is likely to be extremely damaging.
“There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. Well, let’s leave out the details. The deadline is one week.”
Several news outlets, including the New York Times, have reported that their sources indicate President Trump has never been one of the law firm’s clients, so the claim to hold damaging data on Trump could well be a bluff and an attempt to attract media attention about the attack to pile more pressure on the law firm to negotiate and pay the ransom.
The law firm is currently still refusing to pay the ransom and has stated that the FBI never recommends paying a ransom as there is no guarantee that a valid decryptor will be provided nor that the attackers will delete data stolen in the attack and not misuse or sell it. They also state that paying a ransom to terrorists is a violation of federal criminal law.
That has placed the ball in the attacker’s court. It is unclear what will happen next – whether more sensitive data will be leaked or if the group will attempt to sell the data on the dark net to the highest bidder. Either way, the law firm is in a difficult position and its reputation has taken a serious hit.