REvil responds to Grubman Shire law firm: “We will get the money”
A ransomware team that locked up the files of entertainment law firm Grubman Shire Meiselas & Sacks after stealing copies of the files has responded to reactions to their demand for $42 million to unlock the files and to prevent the attackers from releasing the firm’s files about President Trump. The attackers claim that the staggering ransom demand represented a doubling of the original $21 million demand after the law firm did not appear to have negotiated in good faith and did not pay by the deadline.
In conjunction with the press release, the attackers started dumping some of the firm’s client files concerning Lady GaGa. But it was their threat about President Trump that seemed designed to really get attention — and it did. As reported previously on this site, their first press release contained this threat:
The next person we’ll be publishing is Donald Trump. There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. Well, let’s leave out the details. The deadline is one week.
Reactions to their first press release were predictable.
We know that the government doesn’t want victims paying ransom demands, as it encourages more people to commit such crimes. And I’ve reported in the past that the government may tell victims not to pay because even if they pay, the attackers may not give them a decryption key, the key may not work and they may still lose data, or the attackers may not keep their word about deleting data. When challenged on those claims, however government spokespeople have admitted to me that in more than 94% of cases, attackers do keep their word and give the victims decryption keys. What’s not clear to me is what percent of times attackers who were paid then release the data or sell it after promising it to delete it. Indeed, it would generally be bad for attackers if they don’t keep their word as that would reduce the likelihood of future victims believing their assurances and paying them. But it may be that there are many cases where attackers then sell data privately and we never find proof of that.
Does this mean that I think that victims should never pay attackers or always pay them? Absolutely not. As I’ve explained many times, that’s something that I think needs to be determined on a case by case business that considers factors like revenues that will be lost if payment is not made and the entity cannot function, but also considers factors like whether lives will be on the line in the event the victim is a medical or critical services entity. But what I do think is that if entities do pay ransom, they shouldn’t admit it publicly unless required to by law.
In any event, Sodinokibi/REvil ransomware attackers struck what appears to be a goldmine of files involving celebrities. But it appears that Grubman will not pay any ransom and has made clear that Trump was never a client of theirs. That latter statement makes it sound like the attackers were bluffing about having dirt on Trump.
Last night, the hackers responded to reactions to their first press release and posted what they describe as the first part of information about Donald Trump – the part “with the most harmless information” about him.
The archive of files is less than 7 MB compressed, and when extracted, it contained 169 items, mostly message/email files that appeared pretty innocuous from what I could read. Some files that mentioned Trump were simply references to news stories about him. Other messages addressed legal issues concerning him, such as trailers that make fun of him, etc.
That dump doesn’t prove anything at all as far the Trump threat goes.
In their second press release, the Sodinokibi (REvil) ransomware operators reiterated their intention to get paid — one way or the other. They point out that one of their options is to start auctioning off the law firm’s clients’ data every week (by last name) on an information exchange on the dark web that they name.
We’ve seen that type of approach before. Hackers of a Lithuanian plastic surgery center who failed to get the medical center to pay them offered to sell patient data back to the patients first, with the threat that if the patients didn’t pay, the hackers would put the data up for sale. Similarly, we saw thedarkoverlord attempt to extort celebrity patients of a London plastic surgery center, and we saw patients of a Florida medical practice also contacted with ransom demands. I don’t think any of those incidents resulted in any big money for the attackers– if any at all. And those are sensitive medical files.
Would any of Grubman’s clients pay ransom to get files or information held by the law firm out of the public arena? Possibly. Again, it often depends on how sensitive or damaging the information might be. A significant percentage of law firm files are public records, but negotiations and internal correspondence about clients or strategies could be embarrassing or problematic if revealed.
But in outlining options and what their responses may look like, the hackers also caution Grubman. Referring to law enforcement, they write:
2) Your data will remain unavailable. Let’s be honest. Even these idiots cannot decipher elliptic cryptography. Although you can continue to believe them. You incur losses daily, and they are actively investigating this crime, although they themselves understand that they will fall into the wall. Moreover, they are looking for performers, not organizers. This is their business, we have fun watching with popcorn.
From what has been published so far, it doesn’t sound like the law firm will reverse itself and suddenly pay. So what will REvil do next? I don’t know, but if I was a betting woman, I’d bet that they will follow through on their threats. I doubt they really have anything on Trump that would change anything in the election, but I do think they will dump other clients’ files or what could be embarrassing internal communications about clients.
Can Grubman’s firm survive this attack? It depends. Do they have any kind of usable backup to restore from? And will their clients understand and stay with them, or will they jump ship because the firm did not provide sufficient security to keep confidential files confidential? In previous studies on breaches, we used to see reports of churn that would suggest that a certain percentage of clients will stop using a company if their data was breached. But that would assume that there are other alternatives to the breached firm or entity.
Are there other entertainment law firms clients could go to? Yes. Will they? We’ll have to wait and see.