Update: Today, the hackers claimed that they had reached a private agreement with someone who wanted to buy all the data on Trump.
“Interested people contacted us and agreed to buy all the data about the US president, which we have accumulated over the entire time of our activity. We are pleased with the deal and keep our word.”
Maybe, but from what I found in the leak, which has now been taken down, I wouldn’t pay a dollar for it. My guess is that they were too worried about being pursued as terrorists and backed off. Instead, they have turned their focus on Madonna. Apparently, if the law firm still refuses to pay them by May 25th, they will sell all of the information on Madonna for 1 million dollars. Maybe Madonna will be interested, but I found nothing that anyone else would profit from.
Last week I reported on the hackers who took over the network of a law firm that represents numerous A-list stars. This hacking group, known as Sodinokibi or REvil, encrypted the files of the law firm of Grubman Shire Meiselas & Sacks. They demanded a ransom of $21 million to decrypt the firm’s files. If this was not paid within a certain period of time, the hackers threatened to release some of these files.
On May 14th, they did just that. They released several gigabytes of data on Lady Gaga. The dump mainly consisted of legal agreements and contracts. Nothing too sensitive really. Besides, most of the documents they released were more than 6 years old. I’m not sure what the logic is behind releasing such documents. Isn’t it the same as decrypting them for the law firm? Maybe they just wanted to prove that they controlled these files.
In any event, it seems that the law firm has called in a company called, Coveware. Coveware acts as a kind of middle man between the breached company and the hackers. They are hired to negotiate the ransom and help the company with matters such as decryption. Coveware apparently did not accept the ransom demand and made a counter offer of $365,000. This appears to have infuriated the hackers who have now doubled the ransom demand to $42 million. They say they will soon upload 100GB of data and warn that, “Lawsuits you will be pretty much, we guarantee it.” Okay.
Then things took a strange turn. The hackers made a different kind of threat. “The next person we’ll be publishing is Donald Trump. There’s an election race going on, and we found a ton of dirty laundry on time.” It’s not initially clear what this has to do with the law firm, so here’s the kick. “Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever.” So, apparently, they want Trump to intercede on their behalf and make the law firm pay up. If he doesn’t do this, they will release documents that will, so they say, cost him the election. If they don’t reach a ransom agreement in one week, they will release the Trump documents.
I’m not sure if the hackers want to go down this road. Here’s where they begin to flirt with terrorism. After all, you can’t threaten the President of the United States. If this is determined to be a terrorist attack, then the law firm will not be allowed to pay the ransom because, then, they would be giving money to terrorists, which is illegal. This connection must have been brought to the hackers’ attention as, just yesterday, they posted a news release insisting that they were not afraid of being branded as terrorists, saying, “this will not affect our work in any way.”
These criminals need to keep in mind that this threat against Trump may actually have the exact opposite effect. If the company decides to pay the ransom, it may now appear as if Trump could have forced them to do so in order to save himself. Certainly, the media would love to pursue this angle. So, in order to protect himself from appearing to consent to extortion, Trump, or the F.B.I., may put pressure on the law firm not to pay the ransom. At this point, it does not look good for the hackers.
But are these criminals just bluffing? Do they really have information on Trump? Maybe and maybe not. It is possible that these hackers stumbled onto some Trump information in one of their other hacks. For example, one of their clients was connected to Mark Burnett of the Apprentice TV series. However, many in the media naively think that, because President Trump has no connection to this law firm, the hackers must be bluffing. That’s simply a misunderstanding of how hackers can use information they unearth to design other hacks. Besides, Trump Hotels have been hacked numerous times. They may have picked up some information from other hackers or in deep web dumps and found enough information to design a good spearphishing attack on someone connected to Trump.
But there is another way this group may have access to information on Trump. It is generally agreed that those leading the hacking group are Russian-based. This indication comes from the fact that the group will not attack sites that use the Russian language. They will also not attack other friendly countries, like Iran.
But keep in mind that attribution is not a pure science and the designers of the malware may just want to make it appear that they are Russian. That said, a linguistic analysis of the ransom note and other correspondence shows strong indication of Russian language influence (“destroy to the ground”). They also have a history of recruiting through Russian websites. So if they are, indeed, Russian, they may very well have connections with the Russian government, which certainly has some information on Trump.
There are a number of hacking groups that work for the Russian government. Most of these are used for information gathering. However, it is common knowledge that the Russian government will recruit good independent hackers, allowing them to continue to do their financial hacking as long as they help the government in return. This is often referred to as “government hacker by day, private hacker by night”. My guess is that this is the kind of relationship that at least some members of the Sodinokibi/REvil group have.
In yesterday’s press release, the hackers claim they will begin auctioning off stolen databases of individuals on the Russian-based, joker buzz “information exchange” site. They figure either the law firm will buy it or those whose information was compromised will. They even encourage the media to bid on it. But, as they write, “We do not care. The main thing is we will get the money.”
This is actually an important point. Keep in mind that this is a business and businesses need profits in order to keep operating. For this reason, they are more likely than not to give the encryption key to the law firm if they reach an agreement. If they do not do this, and do this consistently, no one they hack in the future will ever pay the ransom. In other words, they have a reputation to maintain just like any company.
In addition to the threats, the criminals released some information purported to be an indication of what they have on President Trump. They also give this rather confusing advice, seemingly to President Trump.” I would hurry up. In the place of your competitor, I would buy all the data and put it right at the start of the election. That would be fun. But you can get ahead of him.” I think this is encouraging President Trump to buy any auctioned data on him that they may put up for sale, because, if he doesn’t, his competitor, the Biden campaign, will.
I looked through the samples they put up and found them, frankly, unremarkable. The only real mention of Trump in any of these emails is the following concerning whether they should use a quote from Trump or not.
“I would normally feel this is fairly low risk, but the fact that Donald Trump is so litigious (and has plenty of resources to bring claims) raises the risk factor significantly”
So, they eventually decide not to use the quote. That’s it.
Most of the emails deal with negotiations and contracts which, for those involved in them, may bring up serious problems. However, if I were asked to advise Donald Trump on this matter, I would tell him to keep his $42 million and use it on his election campaign. Nothing to see here so far, but check here for any updates.