Agromart’s data up for auction while threat actors read — and publish — their victim’s emails about the attack

According to their website, The Agromart Group in Canada provides crop nutrients, seed, crop protection products, custom application and associated services to agricultural producers across Eastern Canada. Last month, they experienced a ransomware attack by the Sodinokibi/REvil threat actors.  That in and of itself would be newsworthy, but then the threat actors decided to try to auction off the data they stole from the group. While other threat actors have put stolen data up for sale when their victims did not meet their demands, creating an auction site and system appears to be the next step in the evolution of ransomware attacks in 2020.

The idea for an auction had been raised previously in the context of auctioning off Madonna’s files held by the Grubman Shire Meiselas & Sacks law firm. At the time, REvil suggested that Madonna’s files would be put up for auction with a starting bid of $1 million. That hasn’t happened (although the threat actors say they will get back to that one). In the interim, though, it seems that REvil has opened its own auction platform, with the Agromart data being one of the first on the auction block:

“Agromart Group is a group of companies engaged in crop production and agriculture in Canada. Contains accounting documents, and accounts, plus a lot of important information that may be of value to competitors or interested parties. All files of actual information for the last 3 months. Also in the archive you will get several databases that are no less interesting. Archive in zip format 1. Files pdf,docx,xlsx – 22328 2. Database – 3 When the auction is over, you will be provided with a download link from the cloud with the following deletion.”

Bidders need to register on their auction site, deposit $5,000.00, and then make an opening bid of at least $50,000.00  The “blitz” price is $100,000.00.

As they have done in other incidents, the threat actors have also posted a number of unredacted files they exfiltrated from their victim’s server(s).

In this case, some of the correspondence they have posted seems intended to embarrass Agromart. Other correspondence concerns Agromart’s response to the ransomware attack itself, including transcribed notes from a conference call about the attack, emails about the firm’s steps and concerns as they respond to the attack, etc.

The “pirats” posted a copy of internal email about them.

Did no one tell the company not to use corporate email or phones to communicate about the breach or their plans?

None of the correspondence this site has seen so far indicates the amount of ransom REvil is demanding.

The auction is slated to end in less than 7 days. Whether they will get any purchasers remains a matter of speculation. The same threat actors claimed that they sold their files on Trump, but of course, who knows if there’s any truth to that or if there were files, if they contained anything that wasn’t already in public files. With Agromart, however, and apart from the corporate and intellectual property, there may also be personnel information that could lead to identity theft and other problems.


About the author: Dissent

Comments are closed.