weerapat1003 - stock.adobe.com

Sodinokibi gang begins dark web celebrity data auctions

Group claims to be auctioning confidential legal data on pop stars Mariah Carey, Nicki Minaj and basketball player LeBron James

The first dark web auction of legal data stolen from a celebrity law firm by the Sodinokibi/REvil cyber crime gang has begun, with a starting price of $600,000 (€528,000/£476,000) for each of three lots of data relating to pop stars Mariah Carey and Nicki Minaj, and basketball player LeBron James.

The ransomware group compromised the systems of New York City-based Grubman, Shire, Meiselas and Sacks in May 2020 and stole data relating to a number of its clients, including Lady Gaga, Madonna and, allegedly, Donald Trump.

A previously scheduled auction of data relating to Madonna did not go ahead, although the group did release some material publicly as proof of its intentions. It said this was because it had been auditing the data.

The gang, which is also referred to as Gold Southfield by some threat intelligence operatives, claims to have access to 1.2GB of material on Carey, 1GB of material on Minaj, and 600MB of material on James.

Each auction also carries a buy-out price of $1.5m, with money payable in monero, a cryptocurrency that is theoretically harder to trace than bitcoin.

The group is also offering all the data it stole in the hack for a price of $42m, still thought to be one of the largest ransoms ever demanded in such an incident.

Writing on its dark web blog last week, the Sodinokibi gang said there were many valuable files, and those who bought it would be “satisfied for a very long time”.

“Show business is not concerts and love of fans only,” they wrote. “Also it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery.

“After buying the data, some celebrity’s [sic] will get even more respect and love of fans, but for other half of celebrity’s [sic] their career will ride into the sunset, because there exists things that have no excuse, even for money.

“Political and show business always close to each other and any dirt will get out sooner or later.”

The gang said it had wanted to make the data publicly available – as it did with the first tranche of data stolen from Grubman – but added: “We are businessmen and any altruism ends sooner or later.”

Each auction will run for three months, and if a specific lot is sold, the group said it would remove all of that lot’s data from its servers, and make it available only to the buyer. It added that more “interesting and compromising” data would be sold towards the end of the process.

Read more about ransomware

Emsisoft’s Brett Callow, who has been tracking this hack since it began, said Sodinokibi probably does have access to data on more parties than it has so far disclosed, but whether it is as interesting as it claims is up for debate.

“Their claims of sex scandals and political skullduggery could well be completely false and made simply in the hope of creating a bidding war,” he said.

Callow also cast doubt on whether the gang realistically expected to able to monetise any of the data, and suggested it might be more likely that the auctions are going ahead to prove to other future victims that it can cause them problems, and convince them that paying the initial ransom demand is the least damaging option.

“I suspect it’s not at all uncommon for groups to overstate the extent of breaches,” Callow told Computer Weekly. “It can take several weeks for companies to work out exactly what data was exfiltrated, and groups may take advantage of that period of uncertainty and pressure them into speedy settlements by claiming to have more data than they actually do.

“That said, the amount and nature of the data that was stolen shouldn’t alter companies’ decisions. They have been breached, their data is in the hands of cyber criminals, and paying the ransom does not alter that fact.

“Even if they do pay, they will simply receive a pinky promise that the information will be destroyed and not released or resold – but as that pinky promise is coming from a bad faith actor, it carries no weight whatsoever. If information has significant value, why wouldn’t the criminals resell it?” 

The Sodinokibi gang is planning to open a second auction on 3 July, selling data on a number of entertainment companies including record label Bad Boy Entertainment, movie studio Universal, and music channel MTV. A third auction is set for 5 July, but it is not yet clear what will be sold.

Read more on Hackers and cybercrime prevention