This article originally appeared on VICE US.
President Donald Trump may have another adversary to beat to win November’s election besides Joe Biden: a group of hackers.
The anonymous hackers this week crippled the computer systems of high-profile celebrity law firm Grubman Shire Meiselas & Sacks claiming to have stolen 756GB of highly-confidential documents including contracts and personal emails from the firm’s client list, which includes Madonna, Drake, Lady Gaga, Elton John, Robert De Niro, U2 and Bruce Springsteen.
The hackers initially demanded $21 million from the law firm to stop the documents becoming public, posting a screenshot of a contract for Madonna's World Tour 2019-20 complete with signatures from an employee and concert company Live Nation.
But on Thursday, they doubled their ransom demand claiming that they also had information on the U.S. president.
“The ransom is now $42,000,000,” the hackers said on their dark web site, seen by VICE News “The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry on time.”
The hackers made a direct plea to Trump, urging him to get the attorneys to pay up.
“Mr. Trump if you want to stay president, poke a sharp stick at the guys, otherwise, you may forget this ambition forever. And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president”
The hackers have demanded payment of the $42 million within a week, and issued a warning to celebrity lawyer Allen Grubman: “Grubman, we will destroy your company down to the ground if we don’t see the money.”
Trump is not known to be a client of Grubman’s firm, nor is any of his companies, so it is unclear what — if any — “dirty laundry” the hackers may have on him.
The firm confirmed the doubling of the ransom demand on Thursday, labeling the attackers “foreign cyberterrorists” and adding that its clients had so far been very supportive.
“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others,” the company said in a statement.
Who’s behind the attack?
The ransomware being used in this attack is known as Revil or Sodinokibi. Like all ransomware, once the malicious software is downloaded onto a victim’s network, it quickly encrypts all files (including back-up files) and renders the computer system unusable unless you pay the ransom.
Revil was the ransomware used in an attack on the foreign exchange company Travelex earlier this year.
The ransomware first emerged last April and has grown in popularity to become one of the most widely used weapons among hackers, targeting everything from businesses to hospitals and even cities.
In August last year, the authors of Revil advertised on an underground Russian hacking forum for a select group of hackers to come on board as affiliates and distribute the ransomware. Those who came on board kept 60% of the ransom they received while kicking the rest back up to the authors.
The move means that any one of those approved to distribute the ransomware could be behind the attack on Grubman’s firm.
While the identity of the ransomware authors is not known, there are clues to where they are located: in the dark web ad, the authors said it was forbidden to use the code against targets inside Russia.
The authors have also been linked to the Russian gang behind GandCrab, another hugely popular piece of ransomware. Analysis of the code shows Revil shared a significant amount of overlap with GandCrab, the authors of which reportedly retired last May after earning $2 billion.
“It has long been suspected that this group operates within Russia’s locus of control,” Allan Liska a ransomware expert at security intelligence firm Recorded Future told VICE News. “The Kremlin generally turns a blind eye to these activities, as long as the threat actors don’t target Russian citizens, however going after an ally of Russia may force Russian cyber security forces to turn their attention to the Revil team as well.”
Should the victims pay up?
Ransomware demands are typically much smaller than the $42 million being demanded by the hackers in this case. But with hundreds of A-list celebrities on its client list, there is plenty of incentive for Grubman’s law firm to pay up.
But even if it does, there is no guarantee the trove of personal documents won’t be published anyway.
“Paying the ransom does not guarantee that the attackers will not do anything with the data,” Hugo van den Toorn, manager of offensive security at Outpost24, told VICE News. “As a matter of fact, the worst has already happened; the company’s reputation has been impacted. Paying and dealing with the threat actors might, therefore, be the absolute last resort.”
And that appears to be the case here.
“[Grubman’s] view is, if he paid, the hackers might release the documents anyway,” a source at the law firm told Page Six. “Plus the FBI has stated this hack is considered an act of international terrorism, and we don’t negotiate with terrorists.”
Cover: US President Donald Trump steps off Air Force One after returning from travel to Allentown, Pennsylvania during the coronavirus disease (COVID-19) pandemic at Joint Base Andrews, Maryland on May 14, 2020. (Photo: CARLOS BARRIA/POOL/AFP via Getty Images)