Cybercriminals threatening to auction off stolen files from Lady Gaga, Madonna, and (maybe) Donald Trump

The hackers claim the high-profile law firm where the files originated has refused to pay their ransom.

Ransomware: A security expert explains what makes us vulnerable and how to prevent it
6:34

The hackers behind the ransomware attack on celebrity law firm Grubman, Shire, Meiselas & Sacks have abandoned their effort to get more than $42 million out of the lawyers and have reportedly moved on to auctioning the files off to the highest bidder.
 
The group made waves on May 7 when they posted a message on their "Happy Blog" claiming to have breached the internal systems of Grubman, Shire, Meiselas & Sacks, which represents hundreds of Hollywood heavyweights like Robert DeNiro, Tom Cruise, Lady Gaga, Jennifer Lopez, Bruce Springsteen, Elton John, and many more. The attackers posted a screenshot of all the files they stole and the list features dozens of the biggest names in entertainment and 756 gigabytes of documents, contracts, and legal files.
 
In a detailed blog post, experts with cybersecurity firm DarkOwl explained that through their investigation of the Dark Web, they have found indications that the hackers behind the so-called REvil ransomware attack have pivoted away from their first tactic and are looking for another way to monetize the data they stole.
 
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic Premium)
 
It has been a bumpy ride for the law firm over the past week and a half. The firm's founder, Allen Grubman, is one of Hollywood's most powerful attorneys in the business, and the firm represents companies as well as stars like LeBron James, Drake, The Weeknd, and Priyanka Chopra.
 
"We can confirm that we've been victimized by a cyberattack. We have notified our clients and our staff. We have hired the world's experts who specialize in this area, and we are working around the clock to address these matters," Grubman, Shire, Meiselas & Sacks representatives wrote in a statement to Variety on May 11. 
 
The cybercriminal group behind the attack has now posted its correspondence with Grubman, Shire, Meiselas & Sacks, highlighting that they were offered just $365,000 of the $21 million they demanded after the initial attack. 
 
The group did not take kindly to the lowball offer and doubled their price, asking for $42 million. They also released one 2.4 GB tranche of data related to Lady Gaga that included dozens of her contracts, medical records, deals, and other documents, according to DarkOwl's analysis of the files.
 
They upped the ante further in a subsequent post, claiming they had information related to US President Donald Trump. The White House and the law firm have denied that the president was ever a client of Grubman, Shire, Meiselas & Sacks, leading many to think the hackers were either bluffing or touting files tangentially related to President Trump.
 
"Mr Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president … The deadline is one week," the hackers wrote on their blog.
 
A spokesman for the law firm told CNN on Sunday that it was working with the FBI and would not pay the exorbitant ransom. 
 
According to DarkOwl CEO Mark Turnage, the group has since pivoted to selling the data they stole to the highest bidder in auctions. 
 
Turnage said DarkOwl researchers scouring the Dark Web found that once nobody bit on the $21 million, the REvil attackers rebranded and tried to raise the ransom using the Trump angle. 

"Immediately, the US government responded with 'we don't negotiate with terrorists' and labeled them a cyberterrorist organization, which changes things dramatically. If you understand the culture of the Dark Web and the different communities and how they overlap, cybercriminals don't like terrorism more than anyone else," Turnage said.

"The financial criminals don't like the label of 'terrorist' any more than anyone else would. They responded by dropping 165 emails mentioning Trump the next morning."

Turnage noted that while the cybercriminals may have thought mentioning President Trump's name would add value to what they stole, it actually brought increased scrutiny and, more importantly, law enforcement, dashing any hopes they had of a big payday. The hackers have now turned to Dark Web auction houses instead. 
 
"Putting the data out there for free to do extortion or to leverage the extortion isn't effective because now the police are involved, the FBI is involved, the Secret Service is involved because Trump was mentioned. They then turned to this auction house called Jokerbuzz," Turnage said.

"Jokerbuzz is run by Russians and Eastern Europeans and they have an auction house where data leaks mostly from a bunch of political figures from Russia and Eastern Europe. Their emails and their correspondences that have sold in previous auctions. We have no idea what the price for [the stolen data] is yet."
 
The same group also attacked Sherwood Food Distributors, one of the country's biggest food distribution companies. Known as REvil or "Sodinokibi," the group is well known to researchers because of a lucrative attack it pulled off against currency exchange company Travelex. 
 
Because of DarkOwl's work offering access to the world's largest dataset of Dark Net and deep web content, the company's researchers have seen the files related to Lady Gaga, Sherwood, and the initial documents related to President Trump.
 
The cybercriminals released 2,300 files from Sherwood containing highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information—including  Kroger, Albertsons, Sprouts—scanned driver's license images for drivers in their distribution networks, and more according to DarkOwl.
 
"I wouldn't be surprised if the hackers have concluded that they're not going to get paid," Turnage said, adding that the leaks may not affect the big stars who can change all of their information but it will have a drastic effect on Sherwood.

"They may be trying to monetize the data in some other fashion. For Sherwood Foods, it's actually really, really deadly. If I'm another one of their competitors, I can see exactly what they're charging, what margins they're making, who their clients are, and I can go steal those two clients."

Turnage explained that most of the information from Lady Gaga's files were old photos and contracts from when she was on her world tour. But there was sensitive personal information that should not be public. The hackers said they released her data because "the time is up."

In the blog post, DarkOwl researchers explain that a review of the Lady Gaga data revealed there are over 3,000 files across 350 folders which include W9 forms, expense reports, producer agreements, certificates of engagements, and confidentiality agreements over the last decade. The most worrying part is the folder titled "Gaga Medical Confidentiality Agreements," which DarkOwl believes may include "some of the most personally identifiable information for the mega entertainer, such as her Social Security number."

Despite the flashy headlines, most of the Trump-related emails analyzed by DarkOwl simply involved mentions of him and had little to do with any of his activities. The REvil hackers have said this latest leak was just a part of the data they had, but Turnage said some of the files they leaked are simply clients of the law firm talking about staying at Trump Towers or hotels.  

Most of the data leaked related to Trump is just employees of Grubman, Shire, Meiselas & Sacks discussing the 2016 election and other superfluous files related to anything with Trump's name in it.

"When you look at the data, they just did keyword search against what they had and pulled out some documents. Now the hackers do declare in their latest press release that they intentionally didn't give the most sensational stuff about Trump and that they were reserving that to sell it. They said they have a buyer and have already made an agreement with them and have sold the Trump related releases, or most scandalous stuff, to a buyer," Turnage said. 

"There is a lot of discussion in the underground community about this. Most people are curious because they definitely have real Lady Gaga data and they definitely have infiltrated the email servers of this law firm. But are they spinning the Trump angle just to sound bigger and badder than they really are? Just to get media attention?"

Researchers at DarkOwl say the strain of ransomware used in this latest attack has traces or relations to a malware used in 2018 and 2019 called GrandCrab. The people behind GrandCrab made headlines last year after announcing that they would be shutting down their Ransomware-as-a-Service (RaaS) operation. 

Turnage said there are a lot of people who think the same people behind GrandCrab have restarted their efforts and repackaged themselves with the same ransomware. Forensic analysis of the ransomware shows a lot of code and details that connect the REvil tools to GrandCrab. DarkOwl investigations of timestamps and other clues points to the group being based somewhere in Eastern Europe, Turnage added.

In their blog post, DarkOwl researchers explain that the Sodinokibi ransomware authors and their associates have been widely distributing the ransomware through infected Javascript on WordPress websites. The ransom notes generally include instructions on how to make the payment to have the files decrypted, including unique keys and links to the payment site.

Lucy Security CEO Colin Bastable said he hoped this damaging situation would force all law firms to take cybersecurity more seriously.

"The law firm is caught between a hacking rock and a client base hard place. For every other law firm, ensure that all of the partners and staff are mandated to undergo training. We know that some partners and senior lawyers, like other high-powered professionals, dislike being required to undergo security awareness training," Bastable said.

"That client support will turn to overwhelming lawfare if the celebrities feel pain. If people need a lesson on how hackers fuse psychology, marketing and 'impending event' sales closing, this is a perfect case study in the black art of hackstortion."

In their latest blog post, the people behind REvil have said Madonna is the next target and they plan to auction off her confidential personal files on May 25 for a starting price of $1 million. The pivot to auctioning, according to DarkOwl, proves that the company is moving away from exploiting Grubman Shire Meiselas & Sacks and into selling off the personal data of high-net worth individuals. Some of the Madonna files have already found their way onto social media sites. 

One of the most interesting facts of the case is the response to the attack from other hackers. DarkOwl analysts found dozens of more experienced cybercriminals on Russian forums frustrated with how public the team behind REvil has made the situation.

"We stumbled on a thread where some of the older members of the forum were essentially saying they no longer respected REvil. In this forum, the older members were very concerned about the REvil group's approach of dragging in the president of the United States," Turnage said. 

"[The older members] said they saw a surge in activity on their forum and they didn't want the visibility. They wanted to stay hidden and stay on the down low. Their activity of bringing up Trump brought them unwanted attention, which they called foolish. One said they shouldn't be allowed to be in the forum anymore."

Also see

Ransomware

Image: kaptnali, Getty Images/iStockphoto