Today’s big ransomware story is a star-studded affair, according to the news website Variety.com.
Variety says the Grubman Shire Meiselas & Sacks law firm, or simply gsmlaw.com for a short time, experienced a ransomware attack that apparently involved the appropriate name REvil malware.
Rather than just temporarily shut down the law firm, the ransomware scoundrels are said to have stolen personal data from a celebrity laundry list – all over 750 GB in total including contracts, contact information and “personal correspondence”.
The gsmlaw.com website is currently as good as offline (2020-05-11T14: 15Z), with just a logo display and the main menu of the website is fully commented (the green text below indicates HTML comments):
HTML extracted from gsmlaw.com main web page at 2020-05-11T14: 15Z.
Green text indicates commented HTML code.
Variety’s headline lists the names Lady Gaga, Madonna, Bruce Springsteen as customers who were met, but the article itself lists many more:
Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and run DMC. Facebook is also on the hackers’ hit list.
REVil, also known as Sodinokib or Sodinokibi, doesn’t just work on the old-school ransomware model of “shred your files and offer you to resell the decryption key”.
The latest trend in ransomware attacks is the use of a double barrel weapon that gives victims two reasons to pay.
The original criminal plot behind ransomware was that if you did not have reliable backups that you could quickly recover, you may have little choice but to pay to decrypt all encrypted files and move your business back.
Indeed, by first breaking into your network and taking the time to prepare for an attack that is shaking most or all of your computers at the same time, cyber criminals aim to cause the most significant restriction they can.
That has led to some glaring ransom fees, with demands exceeding $ 1,000,000 these days.
In recent months, however, the shocks have doubled at their peak.
Before scraping all your files as a way to grab your attention, the villains quietly upload large troves of so-called “trophy data” that they use to tweet to anyone who is hesitantly paying.
In other words, financial extortion is no longer just a “kidnap ransom” to get your files back, but also a demand for extortion to stop the scams from sending your data – or, worse, your customers’ data – to the world is leaking.
The modus operandi seems to leak what you might first call a proof-of-concept sample, as a way to convince the victim that the data was truly filtered …
… and then let go more and more as part of the “negotiating” process to convince the victim to negotiate.
Indeed, the REvil crew has already followed its threats to victims who do not pay
Less star-studded, but no less worrying is a simulated report that global postal device company Pitney Bowes has experienced an attack by the Maze ransomware.
Maze is another cybercrime gang committed to huge ransom and threatening to expose stealing data, in infamous claims last year to $ 6,000,000 from cable and wire manufacturer Southwire.
Southwire rebuffed by filing a so-called John Doe (the name used in the U.S. where suspects have not yet been identified) civil lawsuits against the as-yet-unknown criminals behind Maze.
What to do?
Given that ransomware scams no longer only keep you from your data, but also threaten to contact the rest of the world, prevention is far better than cure.
Our tips on tops are:
- Patch early, patch often. Crooks who take off attacks from all-your-network at the same time can give them time to try for any existing holes they know. Make it more difficult for them by patching known bugs as soon as possible.
- Make sure you have no unexpected ways in your network. It’s OK to use technologies such as RDP and SSH for remote administration – just make sure your only remote sign-on portals are where you expect them to be and are set up as you intended, for example, within a VPN (virtual private network).
- View your logs. Ransomware attacks that first steal masses of data, and where the villains learn their way back into your network, often leave tell-tale signs that someone is hanging around where they shouldn’t.
- Set up an early warning email for staff. Crooks often use emails to dig for passwords or data they don’t need to find their way. The crooks rarely send emails to one person in an organization, so one alerted person who raises the alarm can alert 50 colleagues who might otherwise be in the way of evil.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
Last stage for Naked Security