REvil-Ransomware Attack

The REvil ransomware hacking group has targeted Grubman Shire Meiselas & Sacks, a high-profile entertainment law firm that represents celebrities such as Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige.

The New York-based firm, Grubman Shire Meiselas & Sacks, offers legal services to the entertainment and media industries. According to researchers with Emsisoft, cybercriminals hit the law firm in a cyberattack using the REvil ransomware (also known as Sodinokibi). Information allegedly stolen includes clients’ phone numbers, email addresses, personal correspondence, contracts, and non-disclosure agreements made with ad and modeling firms.

“A limited amount of data has been posted on their Tor leak site – screenshots of a couple of contracts as well as the folders to which they claim to have had access,” Brett Callow, threat analyst with Emsisoft. The REvil Operators group claims to have exfiltrated 756 GB of data in total which is to be published in installments – unless the firm pays, of course.

The cybercriminals are threatening to release the data in nine installments, unless they are paid an undisclosed amount of money, said Callow. So far, they have reportedly published documents demonstrating the data that they compromised, including one allegedly signed by Madonna’s 2019 tour agent for her World Tour 2019-20 and the other allegedly signed by Christina Aguilera.

First uncovered by security researchers at Emisoft Ltd., the data stolen from the law firm includes contracts, nondisclosure agreements, phone numbers, email addresses, music rights and personal correspondence.

The details of the hack are somewhat vague, though the law firm itself told Variety Monday that it had “been victimized by a cyberattack.” The REvil group is best known for its attack on foreign exchange provider Travelex in late December. In that case, Travelex was reported to have paid a $2.3 million ransom for a decryption key to restore its network. The same gang was also behind the ransomware attack on data center provider Cyrus One Inc.

Tim Erlin, vice president of product management and strategy at cybersecurity firm Tripwire Inc., told SiliconANGLE today that companies’ first line of defense against ransomware is to prevent it from getting inside in the first place. Jonathan Knudsen, senior security strategist at electronic design automation firm Synopsys Inc., noted that “ransomware is effective and devastating because it allows hackers to sell information back to the people who value it most — the victims.

The exposure of their information may result in impersonation, identity theft, spear phishing attacks, BEC scams or other forms of fraud. Additionally, it’s also possible that the criminals will contact the people whose data has been exposed directly and attempt to extort money.

REvil is known to use RDP attacks, malspam as well as other attack mechanisms to initially target companies.


REvil ransomware and its capabilities: 

REvil aka Sodinokibi, Sodin is a ransomware family operated as a ransomware-as-a-service (RaaS). Deployments of REvil first were observed in April 2019, where attackers leveraged a vulnerability in Oracle WebLogic servers tracked as CVE-2019-2725. Applications such as database and mail servers lock files under use so that they cannot be modified by other programs. This prevents ransomware applications from encrypting them without shutting down the process that locked the file. REvil uses the Windows Restart Manager API to shut down processes or Windows services keeping a file open during encryption. REvil is highly configurable and allows operators to customize the way it behaves on the infected host. Some of its features include:

  • Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
  • Whitelists files, folders and extensions from encryption.
  • Kills specific processes and services prior to encryption.
  • Encrypts files on local and network storage.
  • Customizes the name and body of the ransom note, and the contents of the background image.
  • Exfiltrates encrypted information on the infected host to remote controllers.
  • REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.
  • Microsoft created the API for the smooth installation of software updates without performing a restart. Instead, it gets exploited for malicious purposes by ransomware.

The following best practices can be adopted for mitigating risk of ransomware infections: 

  • Backups are critical. Use a backup system that allows multiple iterations of the backups to be saved, in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is operational.
  • Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs enabled to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
  • Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
  • Keep all systems patched, including all hardware, including mobile devices, operating systems, software, and applications, including cloud locations and content management systems (CMS), patched and up-to-date. Use a centralized patch management system if possible. Implement application white-listing and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.
  • Restrict Internet access. Use a proxy server for Internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.
  • Apply the principles of least privilege and network segmentation. Categorize and separate data based on organizational value and where possible, implement virtual environments and the physical and logical separation of networks and data. Apply the principle of least privilege.
  • Vet and monitor third parties that have remote access to the organization’s network and/or your connections to third parties, to ensure they are diligent with cybersecurity best practices.
  • Participate in cybersecurity information sharing programs and organizations, such as MS-ISAC and InfraGard.
  • Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.
  • Have a reporting plan that ensures staff knows where and how to report suspicious activity.