Sodinokibi operators found and threaten to publish incriminating evidence on Trump

In early May 2020, the hacker group behind the development of the ransomware REvil (Sodinokibi) hacked the New York law firm Grubman Shire Meiselas & Sacks (GSMS). In the stolen documents, Sodinokibi operators found incriminating evidence on Trump.

Among clients of this company are dozens of world stars: the GSMS customer list contains such names as Madonna, Lady Gaga, Elton John, Robert de Niro, Nicki Minaj, U2 and others. I would like to note that last week representatives of the law firm confirmed the fact of hacking in an interview with Variety journalists.

As evidence of the attack, hackers published screenshots that we provide below (they show which folders fell into the hands of criminals). The group claims that the total volume of stolen information accounted up to 756 GB, including contracts, phone numbers, email addresses, personal correspondence, non-disclosure agreements and much more.

Sodinokibi found evidence on Trump

Additionally, as evidence of hacking, REvil operators released small fragments of their documents. In one case, it was a legal agreement, signed in 2013 by Cristina Aguilera and another artist who participated in one of her music projects (now Aguilera’s name is no longer on the GSMS client list).

A fragment of another document was an agreement between a member of the 2019-2020 Madonna World Tour team and Live Nation Tours. This paper was signed on July 17, 2019 and contains the name of the team members and their social security number.

Let me remind you that we have already written more than once that ransomware operators recently not only encrypted company’s data, but also have stolen them, so company faces danger of having this document inopen access. The developers of REvil were one of the first to take this tactic into service and even created a special site for such “drains”. Currently, more than two dozen dumps are published on the group’s website, owners of which refused to pay the ransom to the hackers.

After hacking the GSMS, the group, as usual, gave the affected company a week to pay the ransom. Currently, this deadline has already expired, but on the website of attackers arrived not another “dumped” data, but a new message.

REvil operators unexpectedly stated that during negotiations with GSMS representatives they were offered a payment of $365,000, while crackers demanded $21,000,000 for the stolen data.

“Hence the ransom was not paid at the appointed time, we decided to double it, that is, now the amount is no less than 42 million dollars”, – said the hackers.

As one more confirmation of seriousness of their intentions, the criminals unveiled a 2.4 GB archive that contains Lady Gaga’s legal documents (mostly contracts for concerts, merchandising, and appearances on TV).

Sodinokibi found evidence on Trump

However, the main card of REvil operators, on the base of which they required such a fabulous amount from the injured law firm, were not contracts and riders of stars of show business. The fact is that now the attackers threatened GSMS that they will publish some incriminating evidence on the US President Donald Trump.

“There is an election race now, and at the same time we found a bunch of dirty laundry. Mr. Trump, if you want to remain aPresident, poke with a sharp stick in these guys, otherwise you can forget about you presidential ambitions forever. And voters, we can report that after such a publication, you definitely will not want to see him as President. Well, for now, omit the details. The deadline is one week”, — says a new statement from the REvil creators.

In response, representatives of Grubman Shire Meiselas & Sacks reported that they are already cooperating with the FBI, and law enforcement officials consider the group’s threats as an “act of cyber terrorism”.

It is not yet clear whether these threats to hackers have at least some real basis. For example, the PageSix magazine, citing its own sources, writes that Donald Trump is not and has never been Grubman Shire Meiselas & Sacks client, and representatives of the law firm report exactly the same. If true, it means that hackers are bluffing and trying to put pressure on the top-managment of GSMS.

Whatever is the truth, REvil operators definitely did not like the fact that they were called terrorists. The attackers did not wait for the expiration of the ransom payment deadline, broke out in an angry tirade on their website and published 169 letters in which Donald Trump was mentioned one way or another.

The group emphasizes that now it is harmless data, but, allegedly, it will be worse further. So far, it looks as if hackers simply searched for the word “Trump” among the data they have and posted all the letters where it arrived. This is far from being “dirty loundry”, but just a lot of occusional mentioning.

“Call it an act of terrorism. Your position is your choice. But this will not affect what we do. Mr. Lawyer claims that Donald was never their client. He claims that we are bluffing. Well. The first part, with the most harmless information, we will publish here”, — write the criminals.

Additionally, hackers said that if the ransom is not paid, customer’s data will be put for sale every week on the darknet (in alphabetical order). Attackers note that they don’t care who ultimately will buy this information – the stars themselves, the media or blackmailers – the main thing is that the group will be able to make money on it.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Remove Bomba Virus (+Decrypt .bomba files) – Scarab Ransomware

Bomba Virus Ransomware The Bomba mean a ransomware-type infection. The infection comes from the Scarab …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.