‘REvil’ Hacks GSMS Law Firm [Complete Timeline]: Threatens to Expose Donald Trump, Lady Gaga, Facebook & others on Dark Web

Cyber Attacking is a notorious activity and hackers do it for different motives. Few want to bring awareness, see a positive change, some have a vengeful spirit, while others are simply creating nuisance, or looking to make personal profit. And the latest high profile cybercrime is giving us narcissistic vibes with their agenda, because of their offbeat narratives and demands.

In May of 2020, USA’s leading law firm Grubman Shire Meiselas & Sacks got some ‘special love’ from the infamous hackers “REvil”. The group, also known by their ransomware name “Sodinokibi”, earlier garnered publicity in January, 2020, when they attacked Travelex, a foreign exchange company. The intrusion was in the form of a malware that encrypted their data, and demanded untraceable cryptocurrency as ransom. The company actually went through and settled the matter for $2.3 Million in bitcoins, as reported by Wall Street Journal.

Their earlier success could be the reason for the next high profile GSMS Law data breach. Allen Grubman, the famous entertainment lawyer, along with his firm manages many A-list music artists, record labels, Fortune 500 companies and top executives. So naturally they host valuable information on these clients, like,

1. Prominent Contract Deals,
2. Non-Disclosure Agreements,
3. Sensitive Documents,
4. Personal Correspondence,
5. Contact Details
6. Other Personal Data

Scroll down towards the end of the article to see Grubman Shire’s long-list of clientele who are potentially at risk with this ransomware infection.

REvil Ransomware Attack Timeline: The ‘What, When, How’ of it all

There has been a lot of buzz around New York’s Grubman hack since last week, and the threat actors are wasting no time in providing bait, making obnoxious demands and then leaking sensitive data after deadlines are not met. Let’s take a look at how everything conspired since day 1.

May 7, 2020: REvil Ransomware Announcement

The matter came to light when REvil members posted a message on their blog site “Happy Blog”, available on the Dark Web.  It was meant for the GSMS Law team and threatened to leak sensitive files on their clients. By then, the REvil gang had infiltrated the firm’s computer network and encrypted their data.

The below screenshots were published on the site, that affirm they have data amounting to 756 GB on the likes of: Facebook, Lady Gaga, Madonna, Bruce Springsteen, Nicki Minaj, Christina Aguilera, Mariah Carey, Mary J. Blige, Jessica Simpson, Bette Midler, Priyanka Chopra, Idina Menzel and more.

By this point, REvil didn't publicly disclose their demands. Along with above information, the group also shared a Proof of existence as an excerpt of Christina Aguilera 2013 and Madonna's 2019 “Madam X” tour contracts,

May 9, 2020:

Even after many requests, the media didn’t receive any comments on the attack from Grubman Shire Law Firm authorities or team. But suddenly on Saturday, the official GSMS website went offline, leaving its only remnants in the form of their logo.

May 11, 2020:

On Monday, Grubman Shire confirmed the ransomware attack and extortion demands to Variety, and informed that their staff and roster of clients have been duly notified of the data breach. Their statement established that the alleged files have definitely been stolen.

The entertainment and media law firm assured that they are working around the clock with industry experts to solve the cybercrime at hand.

May 12, 2020:

On the very next day, Page Six, New York Post reported that the cybercriminal ring has demanded a ransom of $21 Million. REvil also threatened to gradually roll out small batches of eminent data if they don’t receive the money in time.

The Grubman Law firm didn’t seem to phase out from this warning and said they will not be negotiating with the attackers at any cost. By now, the FBI has completely taken over the case and is conducting a criminal investigation.

May 13, 2020:

As a next move, Grubman hackers uploaded around 1GB data to MEGA cloud storage, but as soon the company got wind of it, they disabled the download link and terminated the actor’s account.

REvil further tried to taunt GSMS Law by referring Coveware, a ransomware recovery firm, and attributing the ‘data leak’ to them. They also mocked the latter by stating that it’s “a mistake to hire a recovery company in the negotiations”.

May 14-15, 2020:

By Thursday, the Grubman ransomware hackers got a lot more serious and published a blog post on the dark web, where they doubled up on the blackmail money and straight away asked for $42 Million within one week's deadline. They detailed that since they are not happy with an insufficient payment of $365,000 made till now, they will be increasing the ransom value. But a GSMS representative denied these claims altogether, repeating that they will never negotiate with these cyber-terrorists.

Along with the latest warning, the threat group also shared 2.4 GB worth of documents on Lady Gaga, containing NDAs and important contracts.

To add fuel to the fire, REvil further claimed that their next target will be the current US President Donald Trump. To quote them directly,

“There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don't want to see him as president. Well, let's leave out the details. The deadline is one week.”

It’s interesting to note that Grubman Shire Firm has never represented Trump or his organization. But still they released a statement in response to the ransomware attacks and public interest,

May 16, 2020

After their exaggerated claims about “Dirty Laundry” on Donald Trump, REvil released a collection of 169 emails on him. But as Shakespeare said, it was ‘much ado about nothing’. Contradicting their earlier statement about incriminating information against the President, the hackers released a bunch of emails, but the data dump only seems to have the word “trump” in common.

In most of the emails, the english word ‘trump’ has been used in conversation, while in other few ‘Donald Trump’ has been mentioned but not in any meaningful ‘dirt’ kind of way.

Some discussions involve mocking references to him from his past TV and ad appearances, while others are plain fundraising letters. In screenshot below, take a look at an email from the REvil Donald Trump data dump,

But, the REvil group themselves admitted that this was the most “harmless” information on the President from their stolen database. They only wanted to show the evidence of the actual material they have, and the concerned parties should be scared of what’s to come.

May 18, 2020:

REvil operators claimed that they have sold off all data related to Donald Trump to an interested party, and that they are very pleased with the deal.

The gang has next claimed an auction of files, documents and sensitive data on Madonna. Full post reads:

REvil Donald Trump Data Leak – More to the Story

With so much happening, it is difficult to predict REvil’s next move. Reportedly they were greatly affected by the word “terrorism” used by Grubman Shire firm in one of their recent statements, and allegedly that’s how the Trump data leak events transpired.

But after complete analysis and tracking their daily activities, these damaging threats against Donald Trump seem to have some substance. Especially, if some 3rd party has already bought the entire data dump and might use it for nefarious purposes. Nevertheless, the activities in the next few weeks, we’ll soon know the truth to the REvil’s claims.  

Grubman Shire Meiselas & Sacks Clientele

Grubman Shire Law firm manages distinguished celebrities and powerful organizations associated with the entertainment and media industry.

Some of the big names that can potentially be at risk are: