REvil Ransomware Attack Hits A-List Celeb Law Firm | Threatpost

A popular law firm that works with several A-list celebrities, including Lady Gaga, Drake and Madonna, has been hit by a ransomware attack. Hackers are now threatening to release the 756 gigabytes of data allegedly stolen – including non-disclosure agreements, client contracts and personal correspondence.

The New York-based firm, Grubman Shire Meiselas & Sacks, offers legal services to the entertainment and media industries. According to researchers with Emsisoft, cybercriminals hit the law firm in a cyberattack using the REvil ransomware (also known as Sodinokibi). Information allegedly stolen includes clients’ phone numbers, email addresses, personal correspondence, contracts, and non-disclosure agreements made with ad and modeling firms.

“A limited amount of data has been posted on their Tor leak site – screenshots of a couple of contracts as well as the folders to which they claim to have had access,” Brett Callow, threat analyst with Emsisoft, told Threatpost. “The group claims to have exfiltrated 756 GB of data in total which is to be published in installments – unless the firm pays, of course.”

Grubman Shire Meiselas & Sacks works with a client list of more than 200 high-profile celebrities, including Elton John, Rod Stewart, Lil Nas X, The Weeknd and U2. Companies like Facebook, Sony, HBO and iHeartMedia are also clients of the law firm. As of Tuesday, the firm’s website (gsmlaw[.]com) was offline, only displaying its logo.

“We can confirm that we’ve been victimized by a cyberattack,” the New York-based firm said in a press statement to Variety. “We have notified our clients and our staff. We have hired the world’s experts who specialize in this area, and we are working around the clock to address these matters.”

The cybercriminals are threatening to release the data in nine installments, unless they are paid an undisclosed amount of money, said Callow. So far, they have reportedly published documents demonstrating the data that they compromised, including one allegedly signed by Madonna’s 2019 tour agent for her World Tour 2019-20 and the other allegedly signed by Christina Aguilera.

“Ransomware incidents are now effectively data breaches and no longer simply affect the target company, but also its customers and business partners,” Callow told Threatpost. “The exposure of their information may result in impersonation, identity theft, spear phishing attacks, BEC scams or other forms of fraud. Additionally, it’s also possible that the criminals will contact the people whose data has been exposed directly and attempt to extort money.”

While it’s not known how the company was first infected, REvil is known to use RDP attacks, malspam as well as other attack mechanisms to initially target companies, he added.

The threat of leaking stolen data, which researchers call “double extortion,” is not new for REvil. Attackers using the REvil ransomware created a “Happy Blog” this year, where they have recently published details of ransomware attacks on 13 targets, as well as company information stolen from the targeted organizations.

That includes files of the National Eating Disorders Association, an organization that aids people with eating disorder, which was first infected by ransomware earlier in April (and data for which was leaked by the ransomware attackers on April 4).  Similarly, the operators behind the Sodinokibi ransomware threatened to sell the entire database compromised from global currency exchange Travelex after a malware attack at the new year knocked the company offline and crippled its business during the month of January (Travelex ended up paying out $2.3 million in Bitcoin).

These incidents are important reminders for companies to check in on their security protection tactics, Tim Erlin, vice president of product management and strategy at Tripwire, said.

“The overwhelming tendency is to focus on the ransomware itself in these types of cases, but ransomware doesn’t magically appear on a system,” Erlin said. “Organizations that are concerned about ransomware should assess how well they’ve deployed basic controls like vulnerability management, secure configurations and email protections. The first line of defense against ransomware is to prevent it from getting inside in the first place.”

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.