The group rançonneurs Sodinokibi opens a equivalent of eBay to the data they have stolen. To make the promotion, they intend to take advantage of the hack of the cabinet of lawyer to the stars, Brubman Shire Meiselas & Sacks, which contains cases involving Lady Gaga, Madonna and dozens of other celebrities.

On June 2, the group of criminals Sodinokibi has given its website a platform for the bid for the databases that it flies, as noted by the Bleeping Computer. The operators of ransomware like him are accustomed to demand ransom and threaten to publish the data of their victim, but the establishment of a platform for sale is a new practice.

Thanks to the platform, the hackers will be able to generate a profit each time that they are able to deploy their malware. Either the victim pays the ransom to decrypt its data, or other criminals would pay to exploit the stolen data.

Sodinokibi has already made about him in may, thanks to the hacking of law firm GSMLaw, which opened the access to the data of dozens of celebrities.

Cyber criminals have started by publishing a part of the data of Lady Gaga, they then said the sales data supposedly compromising on Donald Trump for more than one million euros. Since the firm refuses to pay for the $ 42 million required, the rançonneurs have announced that they would put the data the sales. Next victim : the singer Madonna.

Of thousands of euros to drop in to participate in the auction

Although the platform for the auction is located on the dark webcybercriminals have established strict rules, of which they are the sole guarantors. The first two databases to sales — related to a at a food company, for a company of agricultural products — are the same way.

The hackers also summarize the content of the data in a few lines, then, indicate a starting price, a buyout price (the ‘Blitz ‘ Price’), as well as the deposit required to access the auction. In the case of the basic data of the agri-food business, the amounts are, respectively, 100 000, 200 000 and 10 000 dollars.

Any potential bidder must create a unique account for sale in which they wish to participate. Then, it must deposit 10 % of the starting price (the $ 10,000 referred to above), an amount which will be refunded at the end of the auction. The hackers reserve the right to retain the setting of the person who won the auction in the case where it does not pay, in order to avoid the false offers. If the bids are in dollars, the final transaction will be in Monero, a cryptomonnaie increasingly used by cybercriminals at the expense of Bitcoin, most monitored by the authorities.

The rançonneur Sodinokibi diversifies in the resale of data

With this eBay of the stolen data, the hackers behind the rançongiciel Sodinokibi (also known as REvil) have passed a new step in the follow-up of their hacks.

Once it is entered on the computer system of his victim, the malware of Sodinokibi encrypts all data that it finds, making them unreadable. Not only is the victim no longer has access to its internal information (such as its contacts, customers, or its contracts of work), but most of its tools no longer work correctly. The hacker then requires the payment of a ransom for the decryption key required to restore the system. It was just two years ago, the story stopped more often there. Either the victim paid the ransom, or it was restoring his system from backup. But the second option, even though it is long and expensive, has quickly been a consensus, for many reasons.

To continue to pay their targets, the criminals have had to innovate. Sodinokibi has followed the trend of the sector, and launched earlier in the year by a blog called ‘Happy Blog’ — on which he is gradually publishing the data of his victims. In the manner of a lessee of a hostage who would cut a lock of hair to put pressure on the payers, they publish data samples.

$ 260,000 requested by ransom in average

They are two birds with one stone : they prove the seriousness of their approach and threaten their victims of injury even more important. A data leak could be losing customers to the victim and damage significantly its financial position in the medium term. And for good reason : once the data is published free of charge, many malicious attackers are going to use to fuel their own attacks.

With their auction platform integrated to the Happy Blog, the hackers REvil push their concept further. They diversify in some kinds of their income : in addition to being rançonneurs, they are also thieves and resellers of data. ZDNet had an estimated more than 260 000 dollars the ransom demand average of Sodikonibi, a substantial sum of gold, but payable by the major organizations targeted by the hackers. The base price of the first sets of data made the sale it is only 2 to 3 times less than the average amount of ransoms, which makes the practice rather interesting, as all the ransoms are not paid.

The data of Madonna, soon to be auctioned

Sodikonibi had already made the first tests at the end of may : they claimed to have sold a database compromising on Donald Trump for a million dollars. And they intend to surf on the same hack to test out their new business model, after the warning that punctuates their blog post :” We are reminded of Madonna and others. Soon. “,

