REvil Ransomware Gang Adds Auction Feature for Stolen Data

An anonymous bidding mechanism enhances the REvil group’s double-extortion game.

The REvil ransomware gang (also known as Sodinokibi) has added an auction feature to its underground website that allows anonymous bidding on information stolen in its targeted ransomware campaigns.

The auction capability appeared at the beginning of June, according to an analysis from Cyberint. In announcing the feature, REvil included details on its first lot, the firm said, containing accounting information, files and databases stolen from a Canadian agricultural company.

A few days later on June 8, bidding went live, giving interested parties the choice to submit a bid (starting at $50,000) or buy the data outright, with a higher “blitz” price ($100,000).

According to Cyberint, other victims whose data went up for sale in auction include a U.S. food distributor (accounts and documents with a starting price of $100,000 and a blitz price of double that); a U.S. law firm (50GB of data including confidential and personal information on clients, with a starting price of $30,000 and a blitz price of $50,000); and a U.S. intellectual property law firm (1.2TB of data including ‘all’ internal documentation, correspondence, patent agreements and client confidential information with a starting price of $1 million and a blitz price of $10 million).

As for why the latter’s data is so valuable, “data stolen from the intellectual property law firm reportedly includes information related to new technologies and unfiled patents that, given the high-profile client list, likely explains the high starting and blitz prices,” the firm noted in a report Monday, adding that the data would possibly be of interest to competitors or even a nation-state seeking to gain economic advantages.

However, that said, “any would-be purchaser would likely find it difficult to develop any stolen technology or product without arousing suspicion as to its origin and inviting legal repercussions,” the researchers added.

The auction process is a logical evolution for REvil, which is known for conducting targeted ransomware attacks with a side of extra extortion – including the major attack on Travelex in January. It locks up files but also exfiltrates information, and then threatens to release that data if the target doesn’t pay the ransom.

The auction process is entirely anonymous – a would-be bidder needs only to complete a CAPTCHA challenge, and is then issued a one-time set of credentials along with a unique Monero (XMR) cryptocurrency wallet address.

The bidder then is asked to use that wallet to pay a deposit to get started, which is equal to 10 percent of the starting bid; this is to weed out any fake bidders. The wallet is also used to make final payments in the event the person wins the bid.

“In addition to displaying details of the lot including current bids and the time remaining, each auction page also provides a series of links to websites where XMR can either be purchased or exchanged,” according to Cyberint’s analysis. “The use of a cryptocurrency such as XMR provides a further element of anonymity albeit there is a need for trust between the two parties as it would not be possible to request a charge-back in the event of non-delivery.”

The REvil ransomware gang first emerged in September 2019 as the likely successor to GandCrab, which had announced that it “retired” in May 2019. Since then, it has been responsible for a number of different attacks; in addition to Travelex, it recently hit celeb law firm Grubman Shire Meiselas & Sacks. It works with Lady Gaga, Drake and Madonna, among others, and the REvil gang claims to have stolen 756 gigabytes of data in the attack – including non-disclosure agreements, client contracts and personal correspondence.

It remains to be seen if the group’s auction activities are working out for it. “Whilst the creation of their own auction facility allows REvil to directly monetize their stolen data, without the need to pay commission to third-party forums or marketplaces, it remains to be seen what will happen to any stolen data if the auctions fail to attract any bidders,” Cyberint concluded. “Aside from reducing the auction starting price, it is possible that REvil make seek to offload seemingly valuable data via other sources if these auctions prove unsuccessful.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles