Ransomware gives bad actors two bites of the cherry. Extorting money from victims, and selling exfiltrated information to the highest bidder…:
The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.
The auction capability appeared at the beginning of June, according to an analysis from Cyberint. In announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.
A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).
According to Cyberint, other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).
As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.