Skip to main content
close search
site logo
Dive Brief

Ransomware operators auction stolen data on dark web

Published June 4, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Jp Valery for Unsplash

Dive Brief:

  • Ransomware operators of REvil, also known as Sodinokibi, are auctioning stolen data, according to a site they launched on the dark web with similarities to eBay, reports Bleeping Computer
  • In the past, REvil published stolen data when ransoms went unpaid. The shift to selling information is the hacking group's "first ever stolen data auction," reports Brian Krebs, cybersecurity journalist. 
  • The data is reportedly linked to an agricultural production company based in Canada and a food distributor in the U.S., according to Bleeping Computer. Between the two companies, the hacker group reportedly has at least three databases and upwards of 22,000 files available for auction. Initial bids start between $50,000 and $200,000. 

Dive Insight:

REvil is reshaping the cybercriminal methodology behind traditional ransomware attacks. The REvil operators are prolific, with zero indication of restraining attacks. 

In the last year, the ransomware strain was linked to cyberattacks at least 23 Texas municipalities, 400 U.S. dental offices, managed service provider CyrusOne and an IT service provider for dentist offices, Complete Technology Solutions. 

REvil hit Travelex at the end of 2019, and the company paid its hackers about $2.3 million in ransom. The initial spread of the virus took down Travelex's websites globally and recovery took about a month. 

The hacking group, when publishing data of companies that refuse to pay the ransom, posts previews of stolen data on its blog, "Happy Blog." The group already teased data linked to one of its more recent victims, law firm Grubman Shire Meiselas & Sacks, which has a celebrity client list. The hacking group claims to have information on President Donald Trump, offering it with a $1 million price tag, according to Bleeping Computer. 

REvil's operations have similarities to Maze and GandCrab. GandCrab's operators are likely the ones behind REvil, after announcing their "retirement" in May 2019 and REvil's debut about a month later.

The economic downturn caused by COVID-19 is pressuring companies to avoid paying a ransom and try to save money. "This may be a way for REvil operators to recoup costs of operations," said Josh Smith, security analyst at Nuspire, in an emailed statement to CIO Dive. 

The hacker group is allowing its bids to determine demand. "This appears to be the next evolution of public dumping," said Smith.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Productboard Launches AI-Powered Productboard Pulse To Integrate Voice of Customer Into Produc…
From Productboard
October 29, 2024
Blackpoint Cyber Launches Global Partner Program and Enablement Platform Emphasizing a Focus o…
From Blackpoint Cyber
October 30, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell