I report and analyse breaking cybersecurity and privacy stories
A notorious hacking group has claimed to have “dirty laundry” on President Trump and has threatened to publish it next week if one of the biggest cyber-ransoms ever isn’t paid.
The same hackers that successfully attacked a celebrity New York law firm last week have now claimed to have “a ton of dirty laundry” about President Trump. As first reported at Page Six, those hackers are now demanding a ransom of $42 million (£34.6 million) and have threatened to publish the information they have if this isn’t paid within the next week.
The hackers concerned are the cybercriminal REvil ransomware operators. The group, also known as Sodinokibi, has a long and inglorious history of attacks, including the devastating one against Travelex. The most recent being the ransomware attack against the New York lawyers whose clients include Lady Gaga, Madonna and Bruce Springsteen.
As well as locking down systems, this group operates a double-whammy system whereby they exfiltrate data before encrypting it and use this as leverage to facilitate ransom payment. Don’t pay up, and the hackers publish documents from the stolen haul, as has been the case when Tesla, SpaceX and Lockheed Martin were caught in the crossfire of an attack by a different group against a parts supplier earlier this year.
Having already stolen a reported 756 gigabytes of such data from the Grubman, Shire, Meiselas and Sacks law firm and posted documents relating to Lady Gaga and Madonna on the dark web, the attackers are now upping the ante.
The original ransom demand was for $21 million (£17.3 million), but this has now been doubled after that was not paid, and the threat regarding documents concerning President Trump has now been thrown into the mix.
I spoke to Brett Callow, an analyst at Emsisoft with expertise in dark web criminal activity, who told me that so far, the REvil operators have posted more than two gigabytes of data relating to Lady Gaga that includes contract documents.
The following demand has now appeared on the hacker’s dark web site:
“The next person we’ll be publishing is Donald Trump. There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. Well, let’s leave out the details. The deadline is one week.”
It is understood that President Trump isn’t, nor has he ever been, a client of the New York law firm. Quite what, if any, documentation relating to Trump the group has remains to be seen.
The FBI is investigating the incident and is understood to have advised the law firm not to negotiate with the attackers or pay the ransom as this would violate federal criminal law.
The full statement given to Page Six by the Grubman, Shire, Meiselas and Sacks law firm is interesting, in that it stated: “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law,” and concluded, “we are grateful to our clients for their overwhelming support and for recognizing that nobody is safe from cyberterrorism today.”
Brett Callow says this is more than interesting; it is significant. “As far as I know, no ransomware attack has ever been classed as a terrorist act, and that includes attacks on US cities and hospitals, so organizations have always been permitted to negotiate. I can only assume this classification is due to the threat to Trump.”
Which could be terrible news for the REvil criminals and, indeed, the celebrity clients whose documents they possess. Once terrorism is brought into the equation, the hunt for such threat actors takes on an altogether different dimension. “The criminals have shot themselves in the foot by mentioning Trump,” Callow says, “There’s no way they can collect a ransom, so they’ll probably publish the rest of the data or auction it.”