Operators of the Sodinokibi (aka Sodin or REvil) Ransomware as a Service (RaaS) recently published over 12GB of data that allegedly belongs to one of its victims – Brooks International – that refused to pay ransom.
As if that weren’t bad enough, cyber-intelligence firm Cyble told BleepingComputer that it’s seen the data up for sale on hacking forums.
RaaS is the malware for lazy crooks who just want to launch attacks at the press of a button: it enables novice cybercriminals to build automated campaigns using third-party kits sold on the dark web. They don’t have to break a sweat by learning about malware, teaching themselves how encryption works, writing ransomware code, running an anonymous webserver on Tor to collect the loot, distributing decryption keys, or otherwise getting their hands dirty with technical details.
Sodinokibi – a GandCrab derivative blamed for numerous attacks that took place last year – is a prime example of RaaS.
BleepingComputer shared a screengrab of one such hacker forum post that showed a member advertising a link to the stolen data for 8 credits: that’s worth about €2 (USD $2.15, £1.72).
Brooks International is a global professional services firm that says it’s got clients in all industries and sectors. The data dump, if it proves legitimate, will prove highly valuable to cybercrooks, as it contains usernames and passwords, credit card statements, alleged tax information, and far more, according to BleepingComputer.
Does this data belong to employees or clients? One assumes clients, given that it allegedly contains credit card statements, but that’s just an assumption. Given that it also purportedly contains W-2 forms, it could well be a combination of employee and client data, all rolled into one very valuable database. At any rate, whoever the data belongs to should be worried, given that 1) purported purchasers are cackling with glee, and 2) Brooks hadn’t returned media inquiries as of Friday.
BleepingComputer quoted a number of comments left by purchasers on the forums:
It even has credit card number & a password. lol !!
To bad these W2 forms weren’t Donald Trump’s taxes. lol !!
Thank you for being the hero we may not deserve, but need.
BleepingComputer tried to get in touch with Brooks to give the firm a heads-up about their data being sold. Lawrence Abrams, writing for the media outlet, said that even though editorial staff spoke with somebody, nobody returned BleepingComputer’s call with responses to questions. I left a message on Friday night but hadn’t heard back by the time this story published.
In lieu of official guidance from Brooks for clients or employees (at least, we haven’t heard of any such notification), those connected to Brooks might want to play it safe by checking their credit report and credit card statements, and consider putting a security freeze on their credit account.
As for organizations that want to stay out of the clutches of ransomware RaaSers, please do read on for our advice:
How to protect yourself from ransomware
- Pick strong passwords. And don’t re-use passwords, ever.
- Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
- Patch early, patch often. REvil isn’t the only ransomware that pried open unpatched systems – Pulse Secure VPNs, to be precise – to break into company networks. Ransomware like WannaCry and NotPetya likewise relied on unpatched vulnerabilities to spread around the globe.
- Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
- Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.
For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.
For more advice, please check out our END OF RANSOMWARE page.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
One comment on “Stolen data of company that refused REvil ransom payment now on sale”
One of these days someone like me is going to get ahold of one of these crooks and make a video that will influence a few out of crime.