Threat Watch

REvil Streamlines the Sale of Victim Data

REvil/Sodinokibi: Between late evening Monday and Tuesday morning (June 2nd), the operators behind the REvil ransomware added a new and unique feature to their website: an auction page. Like many major ransomware groups, REvil operates a website for publicly shaming their victims as means to further “encourage” payment and cooperation from their victims. The addition of an auction site is a new but not wholly unexpected development at a time when ransomware operators seek to expand their means of financial gain from their victims. Currently, the auction page on REvil’s “Happy Blog” has two sale posts–one for a food distribution website and another for a Canadian crop production company. Both auctions are set to end in less than six days and currently have zero bids.


The fact that REvil was the first group to start up an auction site is not surprising given the fact that the group began discussing the auction of data following their breach of the Grubman, Shire, Meiselas, & Sacks law firm. During that time the group claimed to have auctioned off data about President Donald Trump and had discussed using the criminal auction site Joker Buzz to sell victim data in the future. However, no auctions on Joker Buzz were ever seen which lined up with REvil’s victims during that time. With the public auctioning of victim data being a newer move by REvil, it is possible that these first sales will go quickly. The starting prices for the two victims are $100,000 USD and $50,000 USD and are set to increase by bids of $10,000 and $5,000, respectively, with blitz, or buy it now, prices of $200,000 USD and $100,000 USD. If the data does not sell, the group will likely reevaluate their sale prices and may choose to repost the data. The start of data auctions increases the need for organizations to not only ensure they have proper data backups, preferably following the 3-2-1 rule, but also to ensure early detection of intrusions that could lead to ransomware on their networks. Endpoint Detection and Response (EDR) solutions can give victims an early warning which afford victims the ability to quarantine infected devices and minimize the attackers ability to steal data for both ransom and auction.