REvil/Sodinokibi Hackers Allegedly Found Buyer For Stolen Trump Data

The hacker group behind the REvil/Sodinokibi ransomware recently attacked Grubman Shire Meiselas & Sacks(GSMS), a major New York-based law firm, encrypting and stealing sensitive information and threatening to release it if a $42 million ransom is not paid.

At the beginning of May, the hackers breached the law firm's network. They allegedly stole more than 750GB of data that included email addresses, phone numbers, personal correspondence, music rights, and nondisclosure agreements of a considerable number of A-list celebrities. Some of the celebrities whose data was stolen include Madonna, Elton John, Bruce Springsteen, Mariah Carey, Nicky Minaj, and Jessica Simpson.

The REvil/Sodinokibi group has also claimed to have stolen sensitive data related to US President Donald Trump, which is one of the main reasons why the ransom demand is so enormous. The hackers first demanded $21 million, but doubled that amount after ten days of fruitless negotiations with GSMS, in which the company offered to pay only $365,000.


This Week in Malware Ep2: Sodinokibi Ransomware is a Ransomware-as-a-Service

The attackers also posted some small chunks of data and teasers of what they have in store. Images posted by the threat actors online included a Live Nation contract for Madonna's 2019-20 "Madame X" tour, while a further 2.4GB of Lady Gaga legal documents concerning concerts, TV appearances, and merchandising was released as punishment for the failed negotiations with GSMS.

The Trump Connection

Alongside the Lady Gaga leak, the ransomware gang has threatened to release US President Donald Trump's "dirty laundry", stating:

"The next person we'll be publishing is Donald Trump. There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president. Well, let's leave out the details. The deadline is one week. Grubman, we will destroy your company to the ground if we don't see the money. Read the story of Travelex, it's very instructive. You repeating their scenario one to one."

However, it has been revealed that President Trump has never been a GSMS client before and after assuming office. Considering this, the gang's claim might be nothing more than an attempt to put pressure on the law firm through empty threats.

The law firm has responded to this by calling the REvil gang "foreign cyberterrorists" in a statement to Page Six.

"The leaking of our clients' documents is a despicable and illegal attack by these foreign cyber terrorists, who make their living attempting to extort high-profile US companies, government entities, entertainers, politicians, and others," the company said, adding: "We have been informed by the experts and the FBI that negotiating with, or paying ransom to terrorists is a violation of federal criminal law. Even when enormous ransoms have been paid, the criminals often leak the documents anyway."

After the escalation, the attackers published and archive that, according to them, contained "the most harmless information" on President Trump. The leak was a collection of about 160 emails that just mentioned Trump in passing and had nothing much to do with him. In a later announcement, the hackers said that they had been contacted by individuals that expressed interest in buying the data related to the US president and expressing their readiness to hand it over to whoever is willing to pay the asked price.

Some have speculated that this doesn't reflect reality, and the hackers are just trying to save face after claiming to have access to information that would be damaging to President Trump. And while Trump might be in the safe, the attackers are planning to auction off Madonna's files with a starting price of $1 million, promising full confidentiality to the purchaser, who will also be the sole owner of the data once the sale is complete and the threat actors delete their copies.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.