The criminal group behind the REvil (Sodinokibi) ransomware is extorting a New York-based law firm, threatening to release sensitive files on the company's celebrity clients unless the the firm pays a whopping $42 million ransom demand.
The extortion attempt is the result of a ransomware infection that Grubman Shire Meiselas & Sacks (GSMS) suffered last week.
On May 7, REvil operators published a message addressed to the GSMS staff on a dark web portal, threatening to release files about its clients, files the REvil gang stole from the law firm's internal network before encrypting its files.
Screenshots published on the site hinted that hackers stole documents pertaining to GSMS customers, included the likes of Lady Gaga, Madonna, Mariah Carey, Nicki Minaj, Bruce Springsteen, Bette Midler, U2, Outkast, Jessica Simpson, Cam Newton, Facebook, and more.
GSMS confirmed the incident and the ongoing extortion attempt on Monday, in a statement to entertainment news site Variety.
The hackers gave the company a week to negotiate and pay the ransom, time that expired last night when the hackers posted a second message on their website.
REvil operators said GSMS offered to pay only $365,000 of the $21 million they asked, and as a result, they were now doubling the ransom demand to $42 million.
Furthermore, as punishment for the company's failure to pay in time, the REvil gang also released a 2.4 GB archive containing Lady Gaga legal documents, most of which were contracts for concerts, merchandising, and TV appearances.
In addition to doubling the ransom demand, hackers have also made another veiled threat against the NY law firm, threatening to release files related to US President Donald Trump. We quote from the REvil site:
There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president. Well, let's leave out the details. The deadline is one week.
However, earlier today, entertainment and gossip news site PageSix reported citing sources that President Trump has never been a GSMS client. Based on currently public information, this would appear to be just an empty threat, in an attempt to put more pressure on the law firm to pay the ransom demand.
Ransomware gangs that steal data before encrypting victim files networks is now a common sight. Twelve different groups now engage in this double extortion practice where the ransom is for both decrypting files and for not releasing stolen files.