REvil gets messed with Trump: data sold to third parties

Criminals behind REvil ransomware attacked Grubman Shire Meiselas & Sacks Law firm and demand $42M ransom for not disclosing details on celebrities

REvil attack

REvil attack

The famous New-York based Grubman Shire Meiselas & Sacks Law (GSMS)[1] firm providing specialized legal services for having been hit by the infamous REvil[2] ransomware at the beginning of May 2020. One of the most proliferate ransomware as a business (RaaS) infections circulating on the web, the REvil, dubbed as Sodinokibi, managed to leak over 756GB of sensitive data on the company’s celebrity clients, including the U.S. president Trump, Lady Gaga, Jennifer Lopez, Christina Aguilera, Barbra Streisand, Maria Carey, Andrew Webber, Elton John, the Kardashian sisters & family, Madonna, Nicki Minaj, Tom Cruise, among many others.

On May 7, criminals behind REvil ransomware virus published a message on the dark web warning the company that the leaked data will be sold and disclosed publicly unless the firm pays an outstanding $42 million ransom demand.

Entertainment and Media Lawyers

It seems that GRUBMANS doesn’t care about their clients or it was a mistake to hire a recovery company to help in the negotiations. As we promised, we public the first part of the data because the time is up.

Elton John
Barbara Streisand
Lady Gaga
and others

Contracts, telephones, email, personal correnspondence, NDAs and more (756Gb)

Since the GSMS exceeded the limit of the negotiations (10 days) and failed to pay the starting $21M ransom, hackers doubled the payment to $42M and proved that they are not joking by exposed 2.4GB of data marking Lady Gaga[3] as the first Grubman Shire Meiselas & Sacks Law’s data leak victim.

According to the parties that had access to the uploaded Lady Gaga-related personal data, these files are mostly standard music industry documents and paperwork, including collaborators, producers, agreements, expense sheets, promotional photos, etc. In general, no sensitive data that could be used against the celebrity. 

The data about the U.S. president Trump has already been sold. True or false?

Upon the exposure of Lady Gaga’s credentials, criminals contacted the firm claiming that the U.S. president Donald Trump[4] is standing the second in the line of the REvils data leak victims. The Tor-based dark web site managed by REvil have been added with the following threatenings: 

There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. Well, let’s leave out the details. The deadline is one week.

A couple of days after, criminals created another entry with a claim saying that they have already found a potential buyer for the information about the president. 

As proof of the crime, REvil’s managers uploaded 160 emails. In return, several “interesting people” reacted and expressed interest in buying the stolen data. However, parties who have already viewed so-called Trump’s “dirty laundry” claim that the data is, in fact, useless. There are no compromises except for legal documents and agreements[5]

The Grubman Shire Meiselas & Sacks Law confirmed the attack, but have no plans to pay the ransom

The victim of the notorious REvil ransomware, the Grubman Shire Meiselas & Sacks Law, has confirmed the attack for Variety[6] and expressed their concern on the current situation. 

“Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom. We are working directly with federal law enforcement and continue to work around the clock with the world’s leading experts to address this situation. 

Nevertheless, advised by FBI and security firms like Emsisoft, the company is not planning to negotiate with the criminals and, despite being threatened with further data exposures of celebrity clients, reject to pay the demanded $42M ransom. 

Although the company risk of being prosecuted for inadequate data protection by Lady Gaga and other celebrities whose data may be exposed publicly in the future, the company follows the opinion that paying the ransom will not assure that the stolen data will not be kept by the criminals and sold in underground forums for a considerable amount of money. 

Besides, there are some doubts about the truthfulness of the attack. According to some sources[7], the U.S President Trump is not a client of the Grubman and does not have any connections to the firm as a business, private, or administration person. If that’s not only rumors, it may be that the REvil’s managers are faking some of the leaked files and maybe the leaked data is not that important as intimately believed.