I honestly cannot think of a more ironic name for a blog than the Sodinokibi (REvil) ransomware operators calling their website “Happy Blog.”
But something seems to have gone wrong from REvil’s perspective. For reasons that are not clear from the communications they published, after reaching an agreement with Sherwood Food & Harvest Distributors, something must have fallen apart, and the threat actors blame Coveware for that. Later in the day, they added more to their site about the situation:
We worked closely with coveware on many data recovery cases. But something went wrong yesterday. A case with Sherwood Food & Harvest Distributors was agreed for $7,500,000
At the very last moment, when we had already agreed on everything and were waiting for payment, coveware wrote that the client refused. We do not know how true this is, but the result in such cases is always the same:
1. The initial price of the contract is currently not valid and will be increased by the timer x2, as expected;
2. The data will be published every week in parts. It is inevitable and systematic. Up to the payment of the ransom up to a cent.
They then dumped some data as the first part of sticking to their plan.
The Sherwood negotiations weren’t the only negotiations Coveware was involved in this week with this group. They were also representing the media law firm that represents Lady GaGa, Elton John, Facebook, and other celebrities and huge entities. REvil writes:
Next. The hottest news, which we associate with GRUBMAN SHIRE MEISELAS & SACKS. Our demand was only 21.000.000$. The work was also done with the above mentioned coveware. After 10 days, we asked how much money had been collected from the amount. The answer was 365k. Of course, we realized that people are not determined to solve the problem. Correspondingly, our tactics the same:
- The initial price of the contract is currently not valid and will be increased by the timer x2, as expected;
- The data will be published every week in parts. It is inevitable and systematic. Up to the payment of the ransom up to a cent.
As proof of their intention, they dumped data alleged to be from Lady GaGa’s files.
And consistent with their policies, they have doubled the ransom demand to $42 million.
“Grubman,” they wrote, “we will destroy your company to the ground if we don’t see the money. Read the story of Travelex, it’s very instructive. You repeating their scenario one to one.”
But something else they wrote before that is sure to garner even more attention. They appear to be attempting to extort the President of the United States.
The next person we’ll be publishing is Donald Trump. There’s an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. Well, let’s leave out the details. The deadline is one week.
There is a bit more to their press release, but they include this:
War to victory, only this way.
We’re staying tuned. DataBreaches.net has no idea what kind of claims they will be making about the President and whether they will be true or false. I have no doubt that many will declare them fake news, but either way, this certainly seems like election interference in the making.
Update: This post was edited post-publication to clarify the order the order of statements in REvil’s press release. Their statements about Trump were before their warning to Grubman that they would destroy their firm and the “poke a sharp stick at the guys” appeared to be in reference to Trump urging Grubman to pay their demands.