Three New Dimensions to Ransomware Attacks Emerge During Pandemic

Author profile picture


My name is Shahzaib Ali a

Three significant new trends in cyber-attacks have emerged from the Covid-19 emergency. Firstly, a new generation of attack software which has been developing since last summer has come of age and been deployed. Secondly, the business model for extracting payment from victims has changed so that there are multiple demands for payments of different kinds, including auctioning off data. Thirdly, the kinds of clients that the gangs are targeting seems to have shifted.

If you are going to auction data of the data has to be interesting. Celebrity data is the new commodity in the ransom ware market. These new developments are being driven by the same economic pressures that are changing the straight economy.

A new generation of ransom ware

The 33-year-old is thought to be the mastermind behind arguably the most sophisticated cyber-crime network the world has ever seen. Twitter user evgeniy Mikhailovich.

A new business model?

The new development is that not only are these gangs using new kinds of attack weapons, they are also deploying a variety of new business models to extract multiple potential pay days from their victims. Traditionally the hackers would use ransom ware to steal the data of a target company and then demand that the company pay a ransom for the return of their data.

At the beginning of the year Travelex was hacked via an unpatched VPN connection and a stolen email address and password. The exchange company lost $25m when it was forced to stay closed and is reported to have paid the hackers between $2.3m to recover the data.

The traditional model of payment seen in the Travelex attack allows the attacker to only get one pay off. The first element in the new business model is the request for multiple payments.

Firstly, for the recovery of the data and then a further payment to delete rather than release the files. After the victim company’s files are decrypted. The first payment gives the company the decryptor code or key so that the data can be restored but the attacker still has copies of the files.

A sample of files stolen from Allied Universal released by hackers.

The third element is the auctioning off of the data to competitors via dark web sites. REvil set up an auction site at their Happy Blog space and offered the files of a Canadian Agricultural production company.

“The victim firm’s auction page says a successful bidder will get three databases and more than 22,000 files stolen from the agricultural company. It sets the minimum deposit at $5,000 in virtual currency, with the starting price of $50,000.”

A new type of target

These trends in attacks all come together in two recent hacks that give a clue to the new kind of target and the new kind of extortion that is emerging. They also high light the weakness of the cyber security systems in firms that hold the data of a large number of wealthy and high profile individuals. The new business model for the ransom ware gangs: The celebrity data hack.

In the first case one of the largest and most successful entertainment law firms, Grubman Shire Meiselas, in New York had data about a range of clients as diverse as Barry Manilow, Bruce Springsteen, Rod Stewart, Lil Nas X, The Weekend, U2 and Drake. Other clients listed are Priyanka Chopra, Robert De Niro, Sofía Vergara, LeBron James, Mike Tyson, President Trump and Lady Gaga stolen.

The hackers demanded an initial $21m for the return of 756 gigabytes of data including contracts with many of the weird and wonderful riders stars insist on, NEDs that they force their personal staff to sign, and personal emails. Some taster documents have been released and the tit for tat game is on. The hackers have increased their demands to $21m. The Grubman hack has been blamed on Covid-19 but it is not clear how it occurred.

The Auction site for the Grubman Hack.

There has now been a second attack on a celebrity data treasure trove. The prominent London entertainment law firm Lee and Thompson has been hacked and a significant amount of sensitive client data has been taken. Lee and Thompson’s website says that the firm acts for leading actors, musicians, producers and entrepreneurs. Their clients include David Beckham and Harry Styles, member of the One Direction boy band.

The Lee and Thompson hack seems to have originated in its acquisition of another law firm, Montgomery Barker in 2017. The credentials of Montgomery Barker’s founder were compromised when sales intelligence firm Apollo’s database was breached in May of 2018 and again in October 2019 when People Data Labs was hacked. As a result of the Apollo hack the private gmail address of the founder of Montgomery Barker, Sarah Barker, and her quintessentially English password- “marmalade”- became a tradeable commodity for hackers and was published on the dark web.

The team using REvil will have worked their way from the private email account into the Montgomery Barker’s server and from there into Lee and Jones’s IT as the two firms integrated. Documents taken include client details, billing correspondence, contracts and non-disclosure agreements. There has been no public comment by Lee and Thompson.

The Gold Garden team deploying REvil are now in a win win situation. They have hit either by accident or by careful planning on a precious commodity: celebrity data. If these two law firms do not pay they will lose clients and face lawsuits. If they do pay then they will have to pay twice, once for the decryptor and once for the delete.

Every gossip and media organisations on the planet would like this archive. The hacker teams recently made a forced switch for payment to new harder to detect cryptocurrency, in preparation perhaps for the chequebooks of the world’s media.


The Noonification banner

Subscribe to get your daily round-up of top tech stories!

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *