One of the things that I find very interesting about eCrime activities is how they evolve and apply existing business models to their intrusions. It’s not that what they are doing hasn’t been done before, it’s just the application of these methods to data they’ve stolen, encrypted, or otherwise ruined someone’s day with. The latest evolution applies to the group affectionately known as Pinchy Spider. This group is responsible for the REvil and GandCrab (retired) ransomware applications. They are also into Ransomware as a Service (RaaS), so when you see REvil on a host you know they are involved in some way, though they might not be the ones who actually compromised the host. They just provide the service to collect the ransom.
About a month ago Pinchy decided to add a new “innovation” in getting money from intrusions associated with their platform. More and more ransomware operators have begun collecting data before they encrypt it so that they can threaten victims with the release of this information should they not pay the ransom. In a possible indication that victims are still not paying up enough, Pinchy decided to start holding auctions for the stolen data. The data itself can be very valuable, so they offer it up to other similarly less savory types of individuals.
So how does the auction work? According to the Threatpost article, Pinchy places the data up for auction with a minimum bid and a “Buy Now” option called “Blitz price”. Buyers solve a CAPTCHA, are issued a set of one-time credentials, and a Monero wallet address. To place a bid and prove they are real bidders, each bid requires 10% down. So a $50,000 bid would require a $5,000 deposit. (Let’s see, I need to give a criminal group several thousand dollars and hope that I get it back if I’m outbid… Yup, I feel comfortable with this.) The auction continues until the time runs out and the winner gets their data. The outbid individuals supposedly get their deposit back.
What kind of money are we talking about with these auctions? This varies depending on the data stolen and how important it is deemed. Here are some examples listed by Threatpost. 50GBs of data from a US law firm that includes confidential client data starts off at $30,000 with a blitz price of $50,00. However, 1.2TB of data from an intellectual property law firm had a starting price of $1M and blitz price of $10M! You can imagine that the buyers for this type of data are a fairly select group. They would have to be in a position to either use this data in some way that is worth this kind of money, or the buyers would have to know who to resell the data to. I can only picture the buyers of the intellectual property data being large companies or nations. Also, both of these would have to not care at all about enforcement of intellectual property.
The business model that Pinchy Spider is using isn’t new by any stretch. The application of it to this environment is pretty fascinating. These criminal groups are looking for any way that they can to increase their earnings. The blog post doesn’t say this, but I wouldn’t be shocked to find out that victims could even be paying out the ransom and still have their data sold at auction. After all, who are they going to complain to about it not being fair? The whole thing is illegal and making money off of the victim’s misfortune twice wouldn’t cause any of these crooks to lose any sleep. If this is your kind of article, it’s worth a read. Check the show notes for the link and check it out.