REvil/Sodinokibi: With the timer running out on the first auctions on REvil/Sodinokibi’s new auctions page, there has been an unexpected development–the data was posted for free. When REvil first began the auctions for data belonging to two companies in the food production industry, it was unclear what would happen if the data did not sell. That question has now been answered with the timer on the first auction running out over the evening. Following its failure to sell, REvil unlocked all of the files belonging to the victim. The second auction timed out this morning while this article was being written, and that data was automatically published for free as well. Two more auctions are currently live with one having nearly 29 days for bidding to take place, and the other having just under four days until it is published. The first victim is a law firm which represents science and technology firms and specializes in Intellectual Property (IP) law; the law firm’s data has been put up for auction with a starting bid of one million USD. The second is for a smaller personal injury law firm based in Louisiana and starts at $30,000 USD.
If potential bidders know that data will be posted for free if it fails to sell at auction, it could possibly decrease the effectiveness of auctioning off the stolen data. The public posting of the data means that the one benefit to purchasing the data at auction is exclusive ownership of the data. This could lead to only the “juiciest” or most criminally valuable data seeing any activity on the auctions page, especially with the current pricing model being used by REvil. When the data gets posted publicly, it opens the victims up to a wide range of attacks and targeting from any number of criminals who choose to access the now publicly available information. This continued evolution of how ransomware operators act makes the protection, detection, and response to ransomware attacks gravely important for organizations of all industries and sizes. The best approach to defense against ransomware attacks is twofold: 3-2-1 data backups and Endpoint Detection and Response (EDR). Back up often, keep three copies of backups, on two different media types, with at least one backup maintained off-site. EDR is the best means of getting ahead of an attack by allowing for early detection–meaning early protection by being able to quarantine infected systems and minimizing the impact and spread of ransomware while minimizing the amount of data which can be stolen by attackers.