REvil ransomware gang immediately auctioned sensitive data after a card services provider failed to cover their ransom.
The REvil ransomware gang is auctioning off sensitive information, stolen from debit card services provider, Interacard.
According to REvil’s website, the information is available in an auction listing published by the group. All prospective bidders are required to pay using Monero (XMR).
REvil has previously only auctioned data in cases where their name-and-shame tactics fail to extract payment from a targeted company. That does not appear to be the case this time, however.
Hypothesis behind going directly to the auction stage
Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft provided some possible reasons behind REvil’s tactics:
“In this case, REvil appears to have bypassed their usual name-and-shame strategy and gone directly to the auction stage. The group may have done this in the belief that the data is worth more than the company would be willing to pay, or the data could have been obtained in an attack that occurred prior them launching their leak site in February of this year. If the group is now auctioning data from older incidents, that would obviously be bad news for any companies which were attacked by REvil prior to February. Their data could soon be put up for auction.”
If it’s true that the ransomware gang is merely auctioning data from old attacks, Callow believes that companies attacked between April 2019 (when the ransomware was first identified) and February 2020 (when the group launched their website) are now at risk of having their data publicly leaked.
Details of the sensitive information leaked
The auction lists databases, documents from HR and accounting, technical documentation, customer information, and Point of Sale, or POS, firmware sources and builds.
According to the listing, the auction starts at $100,000, and has less than four days remaining as of press time. It is not clear whether REvil will leak once the countdown finishes.
REvil recently launched another series of attacks against three companies in the U.S. and Canada. The companies are well-known Canadian accounting firm, Goodman Mintz LLP, licensed real estate broker Strategic Sites LLC, and ZEGG Hotels & Store, a duty-free store.