Attackers who hit the New York-based entertainment and media lawyers Grubman Shire Meiselas & Sacks using the REvil ransomware that attacks Windows systems have threatened to sell data on celebrities like singer Nicki Minaj, basketball star LeBron James and singer Mariah Carey through an acution process on 1 July.
The starting bid that the cyber criminals are asking for each set of data is US$600,000. But prior to any auction, the attackers say, on the dark Web, that they are willing to return all the data to the legal firm if they are paid US$42 million.
The group says data on companies Bad Boy Entertainment Holdings, Universal and MTV will be also be sold at auction on 3 July. The starting price for these data lots differs, with the minimum bid for the Bad Boy data being US$750,000 while for the other two firms it is a million US dollars each.
There have been reports that sub-domains of the main Grubman Shire Meiselas & Sacks domain are using an unpatched version of the Pulse Secure VPN server.
Brett Callow, a ransomware researcher with New Zealand-headquartered security firm Emsisoft, said attackers who used REvil were known to use vulnerable Pulse Secure VPN servers to gain a foothold in a network and then bide their time before launching a ransomware attack.
Today noticed that gispc[.]com (-> gsmlaw[.]com) has some interesting subdomains.
So then went to @bad_packets & asked about.
About the “citrix” subdomain they have nothing.
But, they found “secure” subdomain was CVE-2019-11510 vulnerable at least until 2nd half October 2019… pic.twitter.com/FHFgCCLUFx
— MalwareHunterTeam (@malwrhunterteam) May 16, 2020
As iTWire reported on 8 May, the legal firm Grubman Shire Meiselas & Sacks has a huge number of high-profile clients, including Maroon 5, Robert De Niro, Elton John, Barbra Streisand, John Mellencamp, Rod Stewart, Ricky Martin, Shania Twain, KISS, The Weeknd, Lil Wayne, and David Letterman.
Among the companies it represents are Facebook, Activision, iHeartMedia, IMAX, Sony, Last Week Tonight with John Oliver, MTV, NBA Entertainment, New York Magazine, Tribeca Film Festival, The Spider-Man Partnership, HBO, Vice Media and Samsung Electronics.
Top-flight athletes like James, Carmelo Anthony, Sloane Stephens, Colin Kaepernick and Scottie Pippen are also on the company’s client list.
The company has removed all pages from its website, apart from a landing page with its name. But it never had any media contact address even when iTWire looked for one on 8 May.
Callow told iTWire: “Incidents such as this are happening more and more frequently, and are very often the result of companies’ failure to adhere to very well established security best practice such as prompt patching, using MFA (multi-factor authentication) everywhere it can be used, locking down RDP (remote desktop protocol), and so on.”
He said any company that did not take these steps was likely to find itself in the exact same situation as Grubman Shire, adding that there was no easy way out of such a situation.
“Refuse to pay off the criminals and the pilfered data will be published, auctioned and/or used to attack to the company’s customers and business partners,” said Callow.
“Pay off the criminals and – well, the exact same things still happen. Companies only have the word of a bad faith actor that the data will be destroyed.”