Is it legal to buy stolen data from criminals? In most countries the answer would be no. But will it lead to a penalty or a fine? That is a different question and I’m afraid some companies and organizations will be inclined to seriously consider the last question even when they know the answer to the first one. Maybe we can at least agree that it is not ethical or recommended.
As we reported earlier, some ransomware operators make it a habit to exfiltrate data from the networks they break into. The stolen data are to be used as an extra incentive to persuade the victims into paying. If the victims don’t pay up, the stolen data will be published.
But now, the Sodinokibi, aka REvil, ransomware operators have come up with yet another way to make money using the stolen data. They have launched a new auction site used to sell victim’s stolen data to the highest bidder. Considering how this information could be interesting to several parties when it concerns a high profile victim or for a select few when it concerns a direct competitor, it makes sense to ask for a steep price.
The ransomware gang already ran a site called “Happy Blog” where they post samples of the stolen data and then threaten to release the actual files to the public. For the auction site they use this new format:
On the auction site you can find information about the organizations they have stolen data from and some information about what the data includes.
On the site you can find these rules:
By clicking “continue” you confirm that you agree to the terms above. You will be given a username/password and details of deposit payment.
In the description for each dataset, you find the starting price and the minimum deposit (10% of the starting price), but also a blitz price that allows you to buy the data without further bidding.
Apparently not. On their auction site the authors posted a hint that there might be more interesting data forthcoming.
“And we remember the Madonna and other people. Soon."
As we have reported earlier, a lawfirm representing many megastars fell victim to the Sodinokibi gang as well. So, we anticipate that those stolen data may be in high demand and bring the criminals a pretty penny.
Buying these data is a bad idea for several reasons.
These auctions may be yet another trend in the ransomware-as-a-service business models, even though the extra exposure involved in selling data may slightly heighten the chances of the criminals getting caught. Many organizations have adapted to the fact that ransomware exists and have taken precautions by way of protection and by creating easy to deploy backups.
Malwarebytes detections for Sodinokibi are almost exclusively against our business customers
In case you are interested in some more background information about the Sodinokibi ransomware we highly recommend these Malwarebytes resources:
Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void
Sodinokibi drops greatest hits collection, and crime is the secret ingredient
Detection profile for Ransom.Sodinokibi
Stay out of their greedy claws, everyone!
The post Sodinokibi ransomware gang auctions off stolen data appeared first on Malwarebytes Labs.