Ransomware Actors Now Engage in Auctioning Stolen Data

By Bill Toulas / June 3, 2020

The REvil ransomware group is engaging in yet another pioneering activity, looking to maximize its profits by auctioning stolen data. For those of you who haven’t been following the news lately, this is the group of actors who have recently breached the “Grubman Shire Meiselas & Sacks” law firm systems, stole extremely valuable information belonging to high-profile artists and actors, and then went on to involve the very President of the United States, demanding the payment of $42,000,000 as ransom. So, if they hold such valuable data in their hands, why not try to auction it and maximize their gains?

According to a report by KrebsOnSecurity, REvil is currently using a data dump from a Canadian agricultural production company to test for this new tactic after the victimized company has declined to pay anything to the ransomware actors. The auction takes place on a dark web platform named “Happy Blog,” and has set a starting price of $50,000. The minimum deposit in virtual currency is $5,000, while the blitz price is $100,000. The winner of the auction will exclusively get 22,000 files belonging to the breached agricultural company, in the form of three databases and thousands of PDFs, XLSXs, and DOCXs.


Source: Krebs On Security

This new tactic brings several advantages to malicious actors. First, the data buyers are more prim and meretricious, as they are very often competitors of the compromised entity. This automatically raises the value (and the price) of the auctioned data, since it will end up only in the hands of someone who has a use for it. Secondly, this same thing increases the pressure on the extorted entity, since they wouldn’t want their direct market competitors to get their hands into their data. At the same time, the auction is bringing extended negative publicity over to the compromised firm, so this works adversely on multiple levels.

From the point of the ransomware actors, auctions help them extract as much value as possible from a data dump sale, but at the same time, it indicates that the threat groups are now having trouble getting any money from their victims. The ongoing financial crisis that has already hit so many companies out there has created problems in the world of cybercrime as well. Many of the companies that sustain ransomware attacks today are simply unable to meet any ransom demands, even if those are set pretty low. That said, we may start to see a lot of “auction action” from now on.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: