Or rather, pay your hapless law firm the ransom! Yours truly – REvil

The website of New York law firm Grubman Shire Meiselas & Sacks was hacked recently, losing up to 756GB of data including contracts and personal mails that included celebrity clients such as Madonna, Andrew Lloyd Webber, LeBron James, Elton John and Lady Gaga.

The hackers, identified as the group REvil, had previously carried out a devastating ransomware campaign against foreign exchange giant Travelex. REvil has promptly released a screenshot of a contract with Madonna to show they have ‘the goods’. They have also uploaded proof of possession of stolen data directories. Non-payment of the ransom demand could result in certain sensitive information being made public; but even payment of ransom may not guarantee any goodwill from cybercriminals.

CybersecAsia has obtained comments by Niels Schweisshelm, Technical Program Manager, HackerOne, about this incident: “The malware strain used to attack Travelex (Sodinokibi) can infect companies either by attacking its employees via (spear)phishing attacks or can be deployed inside companies by exploiting known vulnerabilities in internet-facing servers. So without too much speculation, the attack is either the result of exploiting an outdated server on the internet belonging to the affected company or via an employee that opened a malicious URL/attachment in an email message.”

Schweisshelm said several sources mention that this malware strain has been used to infect data centers, airports and governmental entities. The scale and type of victims indicate that these attacks are targeted and focus on maximizing potential gains, e.g., Travelex was eventually forced to pay US$6 million as ransom. “Whether the screenshots published by the threat actors are genuine is hard to say for outsiders, however the targeted company should have no issues verifying the authenticity of the contract and client list.”

According to another expert—Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group: “Ransomware is effective and devastating because it allows hackers to sell information back to the people who value it most—the victims. As with other ransom situations, it is also impossible to know if paying the ransom will make your problem go away. Even if you regain access to your own information, your attacker might still have a copy of the information and be able to resell it to other interested parties.

Personal information is valuable by itself, but personal information about celebrities is even more valuable. The attackers in this case have, unfortunately, perpetrated a crime with deep impact.

Like the celebrities whose information is now in jeopardy, we all interact with organizations every day that might result in a situation like this. It is impossible to evaluate the security posture of every business where you have sensitive information, and for the most part, we must rely on a system of trust. Businesses can reduce the risk of a catastrophic breach by taking a proactive, security-first stance and following industry best practices in designing and implementing their technology solutions.”