Top Celebrities data at risk after REvil Ransomware hits Grubman Shire Meiselas and Sacks famous Law Firm
Grubman Shire Meiselas & Sacks is a Law Firm based in New York City. Grubman Shire Meiselas & Sacks is universally recognized as one of the premier entertainment and media law firms in the country, representing the most prominent companies, talent, and executives. As a transactional law firm specializing in all areas of entertainment and media – including music, film, television, live theater, books and magazines, fashion, and sports.
However, The Law Firm has been attacked by the REvil Ransomware also known as Sodinokibi. It is believed that 756 GB’s of Celebs Data is at risk following the attack. As the Law Firm is most popular and has a high-end profile, the data at risk belongs to celebs like John Mellencamp, Elton John, David Letterman, Robert DeNiro, Christina Aguilera, Barbra Streisand, and Madonna.
According to some reports we got to know celebs like Nicki Minaj, Priyanka Chopra, Mariah Carey, Bruce Springsteen, Lady Gaga, Jessica Simpson, and Mary J data has been leaked. As of now, we cannot say who’s next but will update if we get any of them.
The above image was shared by the hackers as proof.
REvil can perform the following tasks. Most of these capabilities are configurable, which allows an attacker to fine-tune the payload.
- Exploit the CVE-2018-8453 vulnerability to elevate privileges
- Terminate blacklisted processes prior to encryption to eliminate resource conflicts
- Wipe the contents of blacklisted folders
- Encrypt non-whitelisted files and folders on local storage devices and network shares
- Exfiltrate basic host information
However, the data which was breached included Contracts, Telephone numbers, Email addresses, Personal correspondence, Non-disclosure agreements. Moreover, data like Telephone numbers email addresses can only be used for spamming clients but the leak of Non-disclosure agreements and contracts can get business flaws.
Currently, the attackers are demanding an unknown sum in Bitcoin from the law firm in exchange for keeping the data under wraps. To give a trial of what they hold, two letters that are believed to be signed by an agent of Madonna’s 2019 tour, and Christina Aguilera have also been published on the dark web.
Hence, as the FBI suggests, it would be in the best interest of Grubman Shire to pay up seeing the massive opportunity cost at stake. Moreover, they should increase their security by implementing best practices like external audits to win back the trust of their customers.
However, researchers have discovered a new version of REvil Ransomware
REvil Ransomware 2.0
The new version of the ransomware uses Windows Restart Manager API to terminate processes that open the file targeted for encryption. This is because if the file is opened by a specific process then another process on the same file will be terminated by the Windows system. Intel471, researchers have spotted that Sodinokibi is now implemented this technique using the Windows Restart Manager also used by other ransomware such as SamSam and LockerGoga.
“REvil ransomware opens files for encryption with no sharing (dwShareMode equals 0). As a result, the Restart Manager is invoked whenever a sharing violation occurs when opening an already opened file.” Also, the attackers included a command-line option -silent that skips blacklisted processes, services, and shadow copy deletion.