- Ransomware operators of REvil, also known as Sodinokibi, are auctioning stolen data, according to a site they launched on the dark web with similarities to eBay, reports Bleeping Computer
- In the past, REvil published stolen data when ransoms went unpaid. The shift to selling information is the hacking group's "first ever stolen data auction," reports Brian Krebs, cybersecurity journalist.
- The data is reportedly linked to an agricultural production company based in Canada and a food distributor in the U.S., according to Bleeping Computer. Between the two companies, the hacker group reportedly has at least three databases and upwards of 22,000 files available for auction. Initial bids start between $50,000 and $200,000.
REvil is reshaping the cybercriminal methodology behind traditional ransomware attacks. The REvil operators are prolific, with zero indication of restraining attacks.
In the last year, the ransomware strain was linked to cyberattacks at least 23 Texas municipalities, 400 U.S. dental offices, managed service provider CyrusOne and an IT service provider for dentist offices, Complete Technology Solutions.
REvil hit Travelex at the end of 2019, and the company paid its hackers about $2.3 million in ransom. The initial spread of the virus took down Travelex's websites globally and recovery took about a month.
The hacking group, when publishing data of companies that refuse to pay the ransom, posts previews of stolen data on its blog, "Happy Blog." The group already teased data linked to one of its more recent victims, law firm Grubman Shire Meiselas & Sacks, which has a celebrity client list. The hacking group claims to have information on President Donald Trump, offering it with a $1 million price tag, according to Bleeping Computer.
REvil's operations have similarities to Maze and GandCrab. GandCrab's operators are likely the ones behind REvil, after announcing their "retirement" in May 2019 and REvil's debut about a month later.
The economic downturn caused by COVID-19 is pressuring companies to avoid paying a ransom and try to save money. "This may be a way for REvil operators to recoup costs of operations," said Josh Smith, security analyst at Nuspire, in an emailed statement to CIO Dive.
The hacker group is allowing its bids to determine demand. "This appears to be the next evolution of public dumping," said Smith.