The REvil ransomware gang, which has claimed a $50 million ransom after hitting Acer with an alleged ransomware attack on its servers, has been targeting major organisations around the world, stealing their data and listing them on a dark web marketplace – News18 has learnt. The cyber attackers collective runs a dark web store of sorts called ‘Happy Blog’, and under its portal, has listed vast troves of stolen data for sale – presumably from similar ransomware and remote code execution (RCE) exploits that it hit Taiwanese consumer technology company Acer with. According to independent cyber security researcher Sourajeet Majumder, the Happy Blog presently lists data from Acer, African bank Union Bank of Nigeria, and major American celebrity law firm, Grubman Shire Meiselas & Sacks.
An example of user data, including personal info and account details, exploited by REvil from the Union Bank of Nigeria. (Image: Sourajeet Majumder/News18.com)
While the law firm’s data breach by REvil was considerably publicised, what remains to be a major cause of concern is how troves of data belonging to the law firm is still available in the dark web for sale – almost a year after the said attack. The data trove includes personal details of numerous celebrities such as Jennifer Lopez, Robert de Niro, Priyanka Chopra, Madonna, Elton John, Tom Cruise and Dwayne ‘The Rock’ Johnson, among many others. A ransom of $42 million (approx. Rs 304 crore) was claimed by REvil basis this attack, but it’s not clear if the ransom was paid. However, News18 could verify (via Majumder) that chunks of this data, if not all, still remain online.
Also available on REvil’s Happy Blog is a large volume of user data of customers of the Union Bank of Nigeria, which has a reported asset base of $4.1 billion. The data, which News18 has verified, is clearly exploited from the Bank’s servers, and includes details such as the bank’s customer base, their account numbers, bank statements and related, identifiable personal data. News18 could not verify the exact volume of data that has been exploited from the bank, and it is not clear as to exactly what ransom might REvil have claimed from the Union Bank of Nigeria. Efforts to reach out to a spokesperson of the bank remained unsuccessful at the time of publishing of this article, and no claimed information is available at the moment in terms of REvil’s correspondence with the bank.
Payment notes belonging to Acer India Pvt Ltd, which is part of the $50 million ransomware exploit by REvil. (Image: Sourajeet Majumder/News18.com)
The above two are just a couple among numerous other organisation data that have been exploited and put up for sale by the REvil ransomware gang on their own dark web marketplace. The stolen Acer data also include details from Acer India, such as the company’s India subsidiary’s banking records, as well as what appear to be personal data of Acer employees. The company is yet to offer a detailed response to the REvil ransomware attack, and what steps would it be taking to counter the move.
Residual effects of ransomware attacks, which appears to be what REvil specialises in, are incrementally harmful as it gives retroactive access to personal user data to malicious scammers looking to exploit personalities. The same is done by scraping information such as the above-mentioned personal details or bank information to establish a level of credibility, and subsequently scam users into either leaking sensitive data, or making monetary losses.