REvil Ransomware Creates Auction Site for Stolen Data
An anonymous auction enhances REvil's extortion. The REvil ransomware gang has added an auction to its underground website that allows anonymous bidding on information stolen from it's ransomware campaigns. The auction appeared at the beginning of June, according to an analysis from Cyberint. REvil included details on its first lot containing accounting information, files and databases stolen from a Canadian agricultural company. A few days later, bidding started at $50,000 or buy now at $100,000.
Other victims whose data went up for sale in auction include a U.S. food distributor, a U.S. law firm, and a U.S. intellectual property law firm with a starting price of $1 million. The law firm's data is so valuable because includes information related to new technologies and un-filed patents. The law firm stated that the data would be of interest to competitors or even a nation-state seeking to gain economic advantages. However, that said, “any would-be purchaser would likely find it difficult to develop any stolen technology or product without arousing suspicion as to its origin and inviting legal repercussions.”
The auction process is an evolution for REvil, which is known for conducting targeted ransomware attacks and extortion. It locks up files but also steals information, and then threatens to release that data if the victim doesn't pay the ransom. The auction process is anonymous and bidders only need to complete a CAPTCHA challenge, and is then issued a one-time set of credentials along with a unique Monero cryptocurrency wallet address. The bidder has to use the wallet to pay a 10% deposit to get started. This is done to weed out any fake bidders. The wallet is also used to make final payment when the bid is won. The auction displays details of the lot including current bids and the time remaining as well as links to websites where XMR can either be purchased or exchanged.
The REvil ransomware gang is the likely successor to GandCrab, which had announced that it retired in May 2019. Since then, it has been responsible for many attacks including the celebrity law firm, Grubman Shire Meiselas & Sacks. The REvil gang claims to have stolen 756 gigabytes of data in the attack including non-disclosure agreements, client contracts and personal correspondence.
It's not known if the group's auction are working out. Even though the auction allows REvil to monetize their stolen data, it remains to be seen what will happen if the auctions fails to attract any bidders. REvil may sell the valuable data through other sources if these auctions aren't sucessful.