REvil Ransomware found the buyer of Trump data, now targeting Madonna.

Ransom group REvil says buyers are willing to sell documents with malicious information about American president Donald Trump and is preparing to auction data about international celebrity Madonna.

Hackers hacked into the network of Grubman Shire Meiselas & Sacks (GSMLaw), a law firm representing a large number of A-list celebrities, and stole everything they thought was valuable before encrypting the data.

Data leakage

After the failed negotiations with the law firm, REvil published an archive of the most innocent information about Donald Trump, a collection of more than 160 e-mails.

They also said that there will be an auction every week with the contact details of the buyers, and that they don’t care who buys them, as long as they get paid:

REvil Ransomware found the buyer of Trump data, now targeting Madonna.

In today’s announcement, the hackers said they had been approached by interested parties to buy all the data on the U.S. president, and that they were satisfied with the offer.

They also promise to remove their copy of the data so that the buyer is the sole owner. There is no indication of who made the offer or what they intend to do with it.

Numerous sources who have verified the data leak have told BleepingComputers that the leak is harmless and contains nothing that could harm President Trump.

This alleged sale by the ransom companies could be their attempt to save face after threatening to destroy Trump’s reputation, but without any real data that could harm him.

To continue his threats against GSMLaw, REvil said they plan to auction off the files related to the Madonna they stole from the company. The starting price is $1 million and the same rules apply as before:

REvil Ransomware found the buyer of Trump data, now targeting Madonna.

REvil, also known as Sodin and Sodinokibi, has built a reputation as a professional criminal with strong financial motivation. The group has set up a highly profitable acquisition activity (RaaS) that relies on partners who have been in the game for a long time. They are the successors of GandCrab and act more aggressively.

How did REvil get here in?

Pending the conclusion of a payment agreement with GSMLaw, REvil has published proof on its website that it has extensive data on VIPs in the entertainment and media industry.

A ransom for deciphering the files, originally set at $21 million, was not paid, and the hackers threatened to publish what they had stolen from a New York celebrity law firm.

After 10 days of unsuccessful negotiations, hackers doubled the ransom demand and threatened to publish 756 GB of data (contracts, phones, e-mails, personal correspondence, NOA) in 10 rounds.

They kept their word and published the first batch on Lady Gaga – 2.4 GB of documents, and announced that the next person we will publish will be Donald Trump.

REvil Ransomware found the buyer of Trump data, now targeting Madonna.

Cyber-terrorists and criminals

The GSM law didn’t stop the hackers in their statements. In a statement on page six, the law firm mentioned foreign cyber-terrorists REvil :

Experts and the FBI have informed us that negotiating or paying ransoms to terrorists is a violation of federal criminal law.

Following a request for comments from BleepingComputer, the FBI stated the following:

If the FBI does not establish that the ransom software has been used by a terrorist organization or a designated nation state, the FBI will regard the ransom investigation as a criminal offence.

While the authority does not encourage the payment of ransoms to criminals and discourages businesses from doing so, the federal authority also recognizes the damage that a ransom raid can do to a business.

Managers may be forced to consider ransom in order to protect shareholders, customers and employees. In all cases, it is strongly recommended to report such an incident to the local FBI office.

The FBI is urging the victims not to pay a hacker for blackmail. Payment of extortion requests stimulates further criminal activities, leads to a new conviction and can be used to facilitate the commission of other serious crimes. Moreover, the payment of the ransom does not guarantee that the victim regains access to his or her data. The best approach is to focus on deep protection and have multiple layers of security because there is no method to prevent compromise or exploitation, the FBI told BleepingComputer.

Sometimes cybersecurity companies that oversee ransom activities can help decrypt the files. Not all cyber criminals are top developers, and some malware code errors can be used to unlock files without paying ransom.