REvil Ransomware Actors Threatening to Leak “GSMLaw” Documents

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

It’s been a while since the Revil/Sodinokibi gang managed to steal the spotlight with a high-profile attack, but they were by no means inactive all this time. According to a recent report, REvil hackers successfully compromised the New York-based law firm “Grubman Shire Meiselas & Sacks” (GSMLaw), infecting its systems with ransomware and exfiltrating highly sensitive documents in the process. The firm is known for representing VIPs and successful artists of the likes of Madonna, U2, Bruce Springsteen, Nicki Minaj, Lady Gaga, Elton John, Robert de Niro, Usher, and Rick Ross.

SodinScreenGSMLaw

Source: Bleeping Computer

Thus, the REvil group is likely holding very revealing documents that a large number of entertainment and media personas would prefer to keep private. In the screenshots that the threat actors published as proof, we can see U2’s publishing and record agreements, a folder named “Facebook,” another one containing files concerning a reality TV show, and various other things. There are many sensitive details to be found there - if these files are indeed the products of a data breach and not a made-up list.

SodinScreenGSMLaw2

Source: Bleeping Computer

In total, the hackers claim to have 756 GB of data, and they warn about the contents that include non-disclosure agreements, email addresses, phone numbers, contracts, and even personal correspondence. They even claim to own a legal agreement between the firm and Christina Aguilera, which dates back to 2013, and also an agreement between one of Madonna’s crew members and the “Live Nation Tours” company regarding the 2020 World Tour.

Sodinokibi isn’t known for delivering empty threats, so we can safely assume that the claims concerning the security breach on GSMLaw’s computers are valid. The particular group of actors has proven its skills before, crippling Travelex for months, causing business disruption to CyrusOne, and striking PerCSoft hard. These are just examples taken out of an ocean of ransomware infections attributed to the particular threat actors. Still, there’s one fundamental change that plagues the victims now compared to how things worked when the strain first appeared last summer - that is the file-stealing aspect that is now bringing a ton of trouble and is pushing GSMLaw on the ropes with a ransom amount that we’re sure it’s a hefty one.

The REvil actors are asking for payments to be made in Monero, as this has served them well in keeping their anonymity intact so far. Monero is hard to trace, its confidential, private (all amounts and transaction points are obfuscated), secure, and fungible. This is why we have seen North Korean hackers using it, and the “Outlaw” group are also relying on it.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: