A swathe of A-listers including Lady Gaga, Madonna, Nicki Minaj and Bruce Springsteen have had their data stolen by a hacker group. HBO‘s Last Week Tonight With John Oliver and Facebook were also purportedly on the hit list.
New York-based media and entertainment law firm Grubman Shire Meiselas & Sacks confirmed to Variety on May 11 that its internal data security was compromised by a ransomware attack. The confidential information stolen by the hackers include 756 gigabytes worth of contracts, nondisclosure agreements, phone numbers, email addresses and private correspondence.
Ransomware attacks involve a situation where hackers usually demand a ransom from their victims, under the threat of releasing the stolen data to the public. According to Page Six, sources indicate the hackers are demanding a USD $21million ransom. However, the victimised law firm is not negotiating with them.
Brett Callow, threat analyst at anti-malware software company Emsisoft, told NME the amount was “not beyond the realm of possibility”.
“It would be the second largest [ransom] ever – as far as we know, at least. In these cases, it’s also possible that the criminals will attempt to extort money directly from the people whose information was exposed.”
Callow also agrees with the law firm’s stance on negotiation, likening it to a lose-lose situation. “Companies in this situation have no good options available to them,” he said.
“Even if they pay the ransom demand, there is no guarantee that the criminals will destroy the stolen data, especially if it has a high market value. The data may still be sold or traded.”
The data heist was conducted by hacker group REvil, which also operates under the alias Sodinokibi. First news of the security breach surfaced last weekend on dark web forums, when the group uploaded an excerpt of a contract for Madonna’s 2019-20 Madame X tour with Live Nation as proof.
According to Callow, there are two likely scenarios for the current situation. One; the firm’s data backups may have been encrypted or deleted by the group, and two; the hackers were unable to encrypt or delete the backups.
“In the case of scenario one, the firm has two problems,” Callow explained.
“Decrypting its own data, or deciding what to do about the stolen data. The only way they can decrypt it is to pay the criminals for a key. Should they not pay, the data will be gone for good.
“In the second [scenario], the only question is what to do about the stolen data. In either case, should the firm decide to pay, they’ll simply receive a pinky promise that the stolen data will be deleted – and, as that pinky promise is coming from criminals, it’s not something you can count on them doing. This is especially true if the data they obtained has a high market value and could be easily monetised for a second time.”
At the other end of the table, Callow believes REvil/Sodinokibi are currently deciding what information they’ll leak next.
“They’ll likely not want to post anything too sensitive initially as that could lessen the firm’s incentive to pay,” he said.
“The timeline REvil set may partly depend on whether they obtained as much data as they claimed. If they didn’t, they’ll want to push hard to settle quickly before the firm realises they’re bluffing.
“The criminals’ intention in these cases is simply to make money, not to publish the data. If they end up publishing all the data, it means they lost. They publish it simply as a warning to their next victim.”