The ransomware operators of REvil have reportedly established an eBay-like dark web site to auction stolen data.
REvil, also referred to as Sodinokibi, is a ransomware outfit that targets corporate networks through the employment of remote systems, spam, system exploits and compromised service providers.
The operators have been known to apply an organized mechanism of gaining administrative access to target domain controllers before they move on to employ the ransomware in encrypting the systems on a target network.
Sometime in the beginning of this year, the ransomware operators are reported to have publish a data leak platform that would be used to expose a victim’s data in case they failed to meet the specified ransom conditions. The site, called “Happy Blog”, was created for publishing samples of the victim’s data, which would be used to threaten targets with release of the entire stolen dump.
In the past, the days that followed a data breach were marked with the publishing of stolen data to the website in order to allow external cybercriminals to use it for free.
In the latest cyber case involving REvil, it is said that the stolen data is associated with a Canada-based agricultural firm and a food distributor in the United States.
What’s the Auction Procedure?
Concerning the two organizations, the information security and tech news publication site Bleeping Computer reported that the hacker holds more than three databases with 22,000 files ready for auction – with the initial bids being set to begin from between $50,000 and $200,000.
The auction site has shared a couple of rules regarding the terms and conditions for bidding and paying for stolen data.
First, for an interested party to bid on an auction, they are expected to make registrations that would be exclusive from one auction to the other.
Following successful registration, the party will be required to deposit funds that will make up 10 percent of the bid’s starting price. This amount will then be refunded right after conclusion of the auction – save for the resultant blockchain commission.
The third rule regards unsuccessful bids whereby the site cautions fake bidders – parties that will fail to make payments to bids on the winning auction will lose their deposits.
Importantly, the site spells the condition that all computational operations of available auctions will be executed using the Monero cryptocurrency (XMR).
Furthermore, the site informs interested bidders that they will be served with credentials and details of deposit payment that will enable successful bidding at the auctions.
Inside REvil’s Cybercriminal Enterprise
A host of cybersecurity experts have acknowledged the fact that REvil has become a force to reckon within the cybercriminal world. The ransomware seems to have revolutionized cybercriminal acumen within the precincts of traditional ransomware applications – with REvil operators turning out to be highly productive in the international scale.
In the year 2019, REvil was reported to have been involved in cybercriminal attacks targeting more than 23 Texas municipalities, 400 dental businesses in the U.S., managed service providers such as CyrusOne, and an IT solutions firm called Complete Technology Solutions.
By the end of the same year, this ransomware had attacked Travelex in a high profile case that saw the organization paying off the hackers a reported $2.3million in ransom. The cyberattack was said to have severely affected Travelex’s sites across the world before the company recovered a month later.
In conclusion, the reach and impact of REvil’s operation has had a tremendous consequence across the world. The economic ramifications of the currently raging COVID-19 pandemic seem to have influenced REvil operations – bids can now determine demand as most organizations are trying so hard not to pay ransoms.