Three significant new trends in cyber-attacks have emerged from the Covid-19 emergency. Firstly, a new generation of attack software which has been developing since last summer has come of age and been deployed. Secondly, the business model for extracting payment from victims has changed so that there are multiple demands for payments of different kinds, including auctioning off data. Thirdly, the kinds of clients that the gangs are targeting seems to have shifted. If you are going to auction data of the data has to be interesting. Celebrity data is the new commodity in the ransom ware market. These new developments are being driven by the same economic pressures that are changing the straight economy.
A report by Chain Analysis in April 2020 showed that the number and success of cyber attacks had not markedly increased during the pandemic and the revenues paid to ransom ware attackers had actually declined. As the number of ransom ware attacks and the payments made to the criminal gangs have both dipped, so the gangs have responded to the downturn with innovation.
A new generation of ransom ware
The ransom ware used in recent attacks is called Revil. Which is also sometimes called Sodinokibi or Sodin. It is being used by a gang called Golden Garden who have their origins in the Rock Phish gang. The Eastern Europe groups that deploy these attacks so successfully, have morphed into multiple identities and used every more sophisticated forms of mal and ransomware.
The most colorful character among this group, Evgeniy Bogachev, the Tiger King of hacking, is supposed to have retired to his Black Sea resort home town with US sanctions and a $4m bounty on his head but even if he is not still active many of his old crew are. These same groups had used the previously most sophisticated attack software called Grand Crab. It looks likely that Grand Crab was retired at the end of May last year and Revil has replaced it.
The 33-year-old is thought to be the mastermind behind arguably the most sophisticated cyber-crime network the world has ever seen. Twitter user evgeniy Mikhailovich.
A new business model?
The new development is that not only are these gangs using new kinds of attack weapons, they are also deploying a variety of new business models to extract multiple potential pay days from their victims. Traditionally the hackers would use ransom ware to steal the data of a target company and then demand that the company pay a ransom for the return of their data. At the beginning of the year Travelex was hacked via an unpatched VPN connection and a stolen email address and password. The exchange company lost $25m when it was forced to stay closed and is reported to have paid the hackers between $2.3m to recover the data.
The traditional model of payment seen in the Travelex attack allows the attacker to only get one pay off. The first element in the new business model is the request for multiple payments. Firstly, for the recovery of the data and then a further payment to delete rather than release the files. After the victim company’s files are decrypted. The first payment gives the company the decryptor code or key so that the data can be restored but the attacker still has copies of the files.
The second payment is for the files to be deleted. The threat is that if the payment is not made the files will be published and can then be accessed by competitors. At the end of last year, and for the first time, one of the gangs released 10% of a companies data to try and leverage the additional payments for deletion.
A sample of files stolen from Allied Universal released by hackers. The third element is the auctioning off of the data to competitors via dark web sites. REvil set up an auction site at their Happy Blog space and offered the files of a Canadian Agricultural production company.
“The victim firm’s auction page says a successful bidder will get three databases and more than 22,000 files stolen from the agricultural company. It sets the minimum deposit at $5,000 in virtual currency, with the starting price of $50,000.”
REvil’s auction house.
A new type of target
These trends in attacks all come together in two recent hacks that give a clue to the new kind of target and the new kind of extortion that is emerging. They also high light the weakness of the cyber security systems in firms that hold the data of a large number of wealthy and high profile individuals. The new business model for the ransom ware gangs: The celebrity data hack.
In the first case one of the largest and most successful entertainment law firms, Grubman Shire Meiselas, in New York had data about a range of clients as diverse as Barry Manilow, Bruce Springsteen, Rod Stewart, Lil Nas X, The Weekend, U2 and Drake. Other clients listed are Priyanka Chopra, Robert De Niro, Sofía Vergara, LeBron James, Mike Tyson, President Trump and Lady Gaga stolen. The hackers demanded an initial $21m for the return of 756 gigabytes of data including contracts with many of the weird and wonderful riders stars insist on, NEDs that they force their personal staff to sign, and personal emails. Some taster documents have been released and the tit for tat game is on. The hackers have increased their demands to $21m. The Grubman hack has been blamed on Covid-19 but it is not clear how it occurred. The senior partner at the firm, Allen Grubman, is said to be refusing to negotiate. The hacker group claim to have sold the Trump documents, while Grubman denies there were any Trump related documents taken. Their auction side it set up and ready to roll.
The Auction site for the Grubman Hack.
There has now been a second attack on a celebrity data treasure trove. The prominent London entertainment law firm Lee and Thompson has been hacked and a significant amount of sensitive client data has been taken. Lee and Thompson’s website says that the firm acts for leading actors, musicians, producers and entrepreneurs. Their clients include David Beckham and Harry Styles, member of the One Direction boy band. The Lee and Thompson hack seems to have originated in its acquisition of another law firm, Montgomery Barker in 2017. The credentials of Montgomery Barker’s founder were compromised when sales intelligence firm Apollo’s database was breached in May of 2018 and again in October 2019 when People Data Labs was hacked. As a result of the Apollo hack the private gmail address of the founder of Montgomery Barker, Sarah Barker, and her quintessentially English password- “marmalade”- became a tradeable commodity for hackers and was published on the dark web. The team using REvil will have worked their way from the private email account into the Montgomery Barker’s server and from there into Lee and Jones’s IT as the two firms integrated. Documents taken include client details, billing correspondence, contracts and non-disclosure agreements. There has been no public comment by Lee and Thompson.
The Gold Garden team deploying REvil are now in a win win situation. They have hit either by accident or by careful planning on a precious commodity: celebrity data. If these two law firms do not pay they will lose clients and face lawsuits. If they do pay then they will have to pay twice, once for the decryptor and once for the delete. If they do not pay, then their dark web version of abay, will see them auction the largest horde of celebrity memorabilia, intimate documentation and private insight ever to surface. And who is going to bid? Every gossip and media organisations on the planet would like this archive. The hacker teams recently made a forced switch for payment to new harder to detect cryptocurrency, in preparation perhaps for the chequebooks of the world’s media.