REvil ransomware gang launches auction site to sell stolen data

Threat actors behind REvil ransomware have launched an auction site to sell data stolen from companies compromised by its malicious software.

On Tuesday, the group began the online bidding process on its dark web site "The Happy Blog", posting samples of data belonging to Canadian firm Agromart Group.

The hackers claimed that scanned copies of the Agromart's financial accounts, agreement forms and credit application, personal net worth documents and age records of the users are among the data available for auction.

Agromart Group was hacked last month, but the company chose not to pay the ransom demand. The auction for Agromart's data starts at $50,000 and has a 'buy-now' price of $100,000.

The second victim is a US food distributor whose data is being auctioned at a starting price of $100,000. The REvil gang is offering a "Blitz price" of $200,000 for immediate purchase of the complete data.

The hackers said that individuals who want to bid on an auction will need to register separately for each auction. After registration, they will have to deposit 10 per cent of the starting price.

Bidders who fail to pay the bid after winning the auction will lose their deposit. All computational operations will be performed in the cryptocurrency Monero, the gang said.

Towards the end of its message, the group threatens to auction off the data stolen from the singer Madonna.

REvil, also known as Sodinokibi or Sodin ,is a ransomware operation that breaches companies networks using spam, exploits, exposed remote desktop services and hacked managed service providers (MSPs). The gang primarily focuses on big firms and avoids targeting consumers.

In January, for the first time, REvil operators released files stolen from one of their victims. The links to nearly 337MB of files were posted on a Russian malware forum, and the group claimed that the data belonged to US tech firm Artech Information Systems.

Also in January, the group was thought to have demanded $3 million ransom from foreign currency exchange firm Travelex after penetrating its network and encrypting its network with Sodinokibi ransomware.

Last year, researchers from cyber security firm Kaspersky warned that they had seen Sodinokibi ransomware exploiting a zero-day Windows vulnerability (CVE-2018-8453) to infect systems.

Last month, REvil operators said that they had "dirty laundry" on President Trump and would publish it if $42 million ransom is not paid within a week.

A few days later, the group stated that had sold the data to an "interested party".