Ransomware Attacks Continue to Surge in 2020

As we have previously written about (with its attack on Light S.A.), Sodinokibi is considered one of the most dangerous and successful ransomware threats of 2020. This week, Brown-Forman Corp, manufacturer of alcoholic beverages and famous for manufacturing Jack Daniels products, was a victim of Sodinokibi. The company refused to pay the ransom, which led to the REvil hackers publishing the exfiltrated data on their public "wall-of-shame".

Additionally, recently the REvil group claimed to have stolen gigabytes of legal documents from GSMLaw law firm, containing dozens of international stars and celebrities sensitive data. Our team confirmed that those documents are for auction on the deep web site, starting at $600,000, or you can buy instantly at a blitz price of $1.5 million each. however, there is no way to confirm if the document data really exists or if it's just a threat.

Now, it appears that the REvil group may have successfully infiltrated three international targets, in the oil and gas, insurance, and consulting industries. A new posting on their "Happy Blog", the deep web page on which they publish information about some targets (specifically ones that decide not to pay the ransom), cites information on quest-worldwide.com (Australia), eurecat.com (France) and National Western Life (USA). National Western Life was published with a threat, in which the hackers claim "lack of discretion" and even published the family documents of Ross Moody, the COO.

We note that these new targets have not had their files leaked on the site yet — the site claims that REvil has the stolen data, with screenshots of it, and recommends that the companies contact the hackers (except for the National Western Life, where they have already published Ross Moody’s family documents).

REvil data leaking differs from the others in its auction model, whereby they publish for free most of the stolen data, and put on auction the most sensitive data for any user to bet on using the Monero (XMR) cryptocurrency.

This behavior shows that ransomware attacks are, in fact, data leak attacks as well, and attackers are getting more aggressive on their data theft model. Recent attacks show that publishing the data may have a higher financial impact on the companies than having their files encrypted/locked.

The Deep Web images below, from REvil have had some information blurred out to protect the companies.

National Western Life - publicly-traded insurance company, based in Austin, TX

Eurecat - Oil and Gas firm, headquartered in France

Quest Worldwide - Consulting firm, based in Sydney, Australia

Felipe Duarte Domingues, Security Researcher, Appgate