Celebrity personal data taken in ransomware attack

Today’s big ransomware story is a star-studded affair, according to entertainment news website Variety.com.

Variety says that the law firm Grubman Shire Meiselas & Sacks, or just gsmlaw.com for short, has experienced a ransomware attack that apparently involved the appropriately named REvil malware.

Rather than simply knocking the law firm out of action temporarily, the ransomware crooks are said to have stolen personal data from a laundry list of celebrity clients, too – allegedly more than 750GB in total including contracts, contact information and “personal correspondence”.

The gsmlaw.com website is as good as offline right now [2020-05-11T14:15Z], with just a logo on display and the main menu of the website commented out entirely (the green text below denotes HTML comments):

HTML extracted from gsmlaw.com main web page at 2020-05-11T14:15Z.
Green text denotes HTML code that has been commented out.

Variety’s headline drops the names Lady Gaga, Madonna, Bruce Springsteen as customers who were affected, but the article itself lists many more:

Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s “Last Week Tonight With John Oliver,” and Run DMC. Facebook also is on the hackers’ hit list.

REVil, also known as Sodin or Sodinokibi, isn’t just operating on the old-school ransomware model of “scramble your files and offer to sell you back the decryption key”.

The latest trend in ransomware attacks is to use a double-barrelled weapon that gives victims two reasons to pay up.

The original criminal plot behind ransomware was that if you didn’t have reliable backups that you could restore quickly, then you might have little choice but to pay up to decrypt all your scrambled files and get your business moving again.

Indeed, by breaking into your network first and taking time to prepare an attack that scrambles most or all of a your computers at the same time, cybercriminals aim to cause the most significant disruption that they can.

That has led to some eye-watering ransom amounts, with demands over $1,000,000 very common these days.

In recent months, however, the crooks have doubled down on their leverage.

Before scrambling all your files as a way of grabbing your attention, the crooks quietly upload huge troves of so-called “trophy data” that they use to blackmail anyone who is hesitant to pay up.

In other words, the financial extortion is no longer just a “kidnap ransom” to get your files back, but also a blackmail demand to stop the crooks leaking your data – or, worse still, your customers’ data – to the world.

The modus operandi seems to be to leak what you might call a proof-of-concept sample first, as a way of convincing the victim that the data really did get exfiltrated…

…and then let more and more go as part of the “bargaining” process to persuade the victim into negotiating.

Indeed, the REvil crew has already followed through on its threats to embarrass victims who don’t pay

Less star-studded but no less worrying is a simulataneous report that global mailing equipment company Pitney Bowes has experienced an attack by the Maze ransomware.

Maze is another cybercrime gang that goes in for huge ransoms and threatens to expose stolen data, infamously demanding about $6,000,000 last year from cable and wire manufacturer Southwire.

Southwire hit back by filing a so-called John Doe (the name used in the USA where defendants haven’t yet been identified) civil lawsuit against the as-yet-uknown unknown criminals behind Maze.

What to do?

Given that ransomware crooks are no longer just keeping you away from your data but also threatening to put the rest of the world in touch with it, prevention is very much better than cure.

Our tops tips are:

  • Patch early, patch often. Crooks who pull off all-your-network-at-once attacks can afford to spend time probing for any existing holes they know about. Make it harder for them by patching known bugs as soon as you can.
  • Check that you don’t have unexpected ways into your network. It’s OK to use technologies such as RDP and SSH for remote administration – just make sure your only remote login portals are where you expect them to be and are set up as you intended, for example within a VPN (virtual private network).
  • Watch your logs. Ransomware attacks that steal masses of data first, and where the crooks carefully learn their way around your network, very often leave telltale signs that someone is hanging around where they shouldn’t.
  • Set up an early-warning email address for staff. Crooks often use phishing emails to dig for passwords or data they arent’t supposed to have in order to find their way in. The crooks very rarely send emails to a single person in an organisation, so one alert staffer who raises the alarm could warn 50 colleagues who might otherwise be in harm’s way.
  • Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.