author photo
By SecureWorld News Team
Tue | May 12, 2020 | 6:15 AM PDT

A long list of powerful stars and media companies are nervous right now, wondering how many of their legal dealings might soon be spilled onto the web for the world to see.

And if a hacker group's claims are true, there seems to be only one way around it: the celebrity lawyers must pay a ransom to cybercriminals.

You might call it the ultimate Hollywood hush-money payment.

The firm is based in New York, with a client list that extends from Broadway to Beverly Hills.

What do we know about this cyber attack on law firm of the stars?

According to the bad actors behind REvil attacks, the initial ransom demand was an incredible $21 million. 

But the group posted on its website this week that negotiations with ransomware middle-man Coveware were a failure and time has run out on that initial ransom demand:

"Next...the hottest news, which we associate with GRUBMAN SHIRE MEISELAS & SACKS. Our demand was only 21.000.000$. The work was also done with the above mentioned coveware. After 10 days, we asked how much money had been collected from the amount. The answer was 365k. Of course, we realized that people are not determined to solve the problem.

Correspondingly, our tactics the same: the initial price of the contract is currently not valid and will be increased by the timer x2, as expected; The data will be published every week in parts.

It is inevitable and systematic. Up to the payment of the ransom up to a cent."

Now, REvil says, the ransom demand has doubled to $42 million. 

This all started when cybercriminals hit the law firm of Grubman, Shire, Meiselas & Sacks in early April with the REvil strain of ransomware. A key feature of this type of ransomware is its ability to steal data and documents to use as extortion, as in, pay up or we'll publish your stuff.

And in fact, entertainment publication Variety discovered the hackers involved started by publishing a page from one of Madonna's contracts.

It is one piece of 756 MB worth of forms, contracts, and personal correspondence reportedly stolen in the attack.

"The info the hackers has released so far 'is simply a warning shot,' Emsisoft threat analyst Brett Callow told Variety. 'It's the equivalent of a kidnapper sending a pinky finger.' The implicit threat is that if the firm doesn't pay the cybercriminals, the group will publish whatever other data they managed to steal, probably in installments, he added."

This week, the group published something else, which it claims is part of the files it stole on Lady Gaga.

And there's more. According to, the group claims it also found legal dirt on President Trump as a result of the law firm breach.

"There's an election race going on, and we found a ton of dirty laundry on time. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever," REvil operators wrote.

And they also ranted that the law firm is faced with a tough choice and no good options:

"Grubman, we will destroy your company to the ground if we don't see the money. Read the story of Travelex, it's very instructive. You repeating their scenario one to one."

We'll have more on the Travelex ransomware attack in a minute.

When it comes to this attack, also of note is the law firm's website. It has been down for weeks other than this lone image:


Which stars could also be victims in this ransomware attack?

What we've discussed so far is really just the beginning of possible leverage points possessed by the hackers.

Variety published a huge lineup of A-listers represented by the firm. Do you recognize any of these names?

  • Music: AC/DC, Barbra Streisand, Barry Manilow, Bette Midler, Bruce Springsteen, the David Bowie Estate, Drake, Elton John, Fiona Apple, Lady Gaga, Lionel Richie, Madonna, Maroon 5, Rod Stewart, Shania Twain, Sting, U2, Usher, the Whitney Houston Estate, and more.
  • Visual medium stars: Andrew Lloyd Webber, Barbara Walters, Clive Davis, David Letterman, Diane Sawyer, Kate Upton, Maria Shriver, Mariska Hargitay, Martha Stewart, Meg Ryan, Mikhail Baryshnikov, Nancy Grace, Naomi Campbell, Robert De Niro, Spike Lee, and more.
  • Athletes: Cam Newton, Colin Kaepernick, LeBron James, Mike Tyson, Scottie Pippen, and more.
  • Media companies: Activision, EMI Music Group, Facebook, HBO, iHeartMedia, Imax, Live Nation, Martha Stewart Living Omnimedia, MTV, NBA Entertainment, Playboy Enterprises, Samsung Electronics, Sony Corp. and Sony/ATV Music Publishing, Spotify, Universal Music Group, and more.

What could be happening behind the scenes of this ransomware attack?

What could be happening right now in this case?

For one thing, all sides could be rethinking what kind of ransom could be acceptable in this case.

If the law firm had cyber insurance, the policy may cover part of a ransom payment.

When Florida cities paid more than a million dollars to ransomware operators in 2019, insurance covered most of it. This type of policy is a savior for ransomware victims and a boon for cybercriminals who have an easier time collecting if insurance will pay for it.

However, there is another disturbing possibility in this case.

If the law firm does not come up with a satisfactory ransom, or even if it does, the ransomware operators may go after the stars directly.

This kind of scenario recently happened in Florida when hackers stole patient information from a plastic surgery clinic. The cybercriminals went after the doctor for ransom, then targeted patients to try to extort them.

Dr. Richard Davis at The Center for Facial Restoration (TCFFR) in Miramar, Florida, revealed the scenario:

"...about 15-20 patients have since contacted TCFFR to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met."

That's right: hackers are promising to expose your most private moments, like that elective procedure you kept secret, unless you pay.

Cybercriminals have figured out how to improve their return on investment (ROI) when it comes to ransomware attacks.

Criminal hacker gangs are evolving attacks with 'nuclear ransomware'

There is a constant battle in cyberspace between defenders who are sealing up cybersecurity vulnerabilities and attackers who are hunting for new holes which will allow them into corporate networks.

Ransomware attacks are in the middle of this evolution right now.

In the past, ransomware gangs encrypted corporate data so it was unreadable. However, if you had a secure backup of the data, you could restore your systems and tell hackers to take a flying leap with their ransom demand. Or sometimes, you could do the same thing with free ransomware decryption keys.

Security Awareness Advocate Erich Kron, of KnowBe4, tells us the ability to thwart attacks forced ransomware gangs to make the attacks even more damaging. It was a business decision on their part:

"The ransomware crooks got tired of the victim saying no. The company says we're not going to pay the ransom, or we've got the backups.

And the cybercriminals realized that the goal was administrator level access to somebody's environment. They can now do absolutely anything so that encrypting the data is the least of the victim's worries.

They are stealing your data. They are stealing your organization's intellectual property. They're stealing login credentials. These credentials can include those from across the network like billing, customer, and employee credentials, stealing all the passwords that everybody is using to go to any website that requires authentication.

So they're getting employee private email account passwords, they're getting a 401K or financial advisor password, getting your banking information, they're getting the social security numbers, they're getting the Facebook and Twitter logins."

And with all that information, sophisticated ransomware groups often launch more ransomware attacks and extortion attempts against you:

"More than likely, they are using the stolen data, or the access of the company, to spearphish your company's partners and customers.

And they are publicly shaming people and organizations when they don't pay a ransom or extortion demand—by letting the world know about the attack and publishing stolen data. It's all of these things, and a data backup is not going to help you at all," says Kron.

In the case of this particular type of "nuclear" ransomware, REvil, there is already precedent to pay cybercriminals to keep data from being published.

Foreign currency exchange Travelex was offline for weeks after getting hit with REvil ransomware, and according to the Wall Street Journal, the company paid $2.3 million in ransom to keep the hackers from publishing information it had stolen from the company.

In the case of the lawyers to the stars, well, at least they're a law firm. Maybe they can sue John Doe the way another company did after a nuclear ransomware attack.

What can your organization do to help guard against nuclear ransomware?

We highly suggest listening to our recent SecureWorld web conference on the topic, which is available on-demand: "Now that Ransomware Has Gone Nuclear, How Can You Avoid Becoming the Next Victim?

Related podcast on cybercrime sophistication

Hackers are no longer sitting in their mom's basement eating hot Cheetos. They are creating organizations that are excellent at spotting business opportunities, building teams, and generating profits. Listen to our podcast interview with the United States Secret Service for how these sophisticated groups work:

Tags: Ransomware,