Sodinokibi ransomware gang auctions off stolen data

Sodinokibi ransomware gang auctions off stolen data

Is it legal to buy stolen data from criminals? In most countries the answer would be no. But will it lead to a penalty or a fine? That is a different question and I’m afraid some companies and organizations will be inclined to seriously consider the last question even when they know the answer to the first one. Maybe we can at least agree that it is not ethical or recommended.

Why are we asking you this?

As we reported earlier, some ransomware operators make it a habit to exfiltrate data from the networks they break into. The stolen data are to be used as an extra incentive to persuade the victims into paying. If the victims don’t pay up, the stolen data will be published.

But now, the Sodinokibi, aka REvil, ransomware operators have come up with yet another way to make money using the stolen data. They have launched a new auction site used to sell victim’s stolen data to the highest bidder. Considering how this information could be interesting to several parties when it concerns a high profile victim or for a select few when it concerns a direct competitor, it makes sense to ask for a steep price.

The ransomware gang already ran a site called “Happy Blog” where they post samples of the stolen data and then threaten to release the actual files to the public. For the auction site they use this new format:

On the auction site you can find information about the organizations they have stolen data from and some information about what the data includes.

The auction procedure

On the site you can find these rules:

  • To bid on an auction, you must register for each auction separately.
  • After registration, you will need to make a deposit of 10% of the starting price. At the end of the auction the amount will be refunded (except for blockchain commission).
  • If you have not paid your bid on the winning auction, you will lose your deposit. This is to ensure that none of the bidders make fake bids.
  • All computational operations are performed in the cryptocurrency Monero (XMR).

By clicking “continue” you confirm that you agree to the terms above. You will be given a username/password and details of deposit payment.

In the description for each dataset, you find the starting price and the minimum deposit (10% of the starting price), but also a blitz price that allows you to buy the data without further bidding.

Only organizations and companies?

Apparently not. On their auction site the authors posted a hint that there might be more interesting data forthcoming.

“And we remember the Madonna and other people. Soon.”

As we have reported earlier, a lawfirm representing many megastars fell victim to the Sodinokibi gang as well. So, we anticipate that those stolen data may be in high demand and bring the criminals a pretty penny.

Buying stolen data

Buying these data is a bad idea for several reasons.

  • You are keeping the ransomware business model alive by paying the ransomware operators. It does not matter whether that payment is a ransom or a payment for stolen data.
  • It should not come as a surprise that dealing with criminals could pan out poorly. They may double-cross you or turn you into their next victim.
  • Buying stolen data is illegal and the seller will know that you have done something illegal, which opens a new avenue of extortion.
  • Data are easily copied, so who is going to guarantee that you will have exclusive access to the data you bought? A bunch of known criminals?
  • Are you sure you will get your deposit back if you are outbid?

These auctions may be yet another trend in the ransomware-as-a-service business models, even though the extra exposure involved in selling data may slightly heighten the chances of the criminals getting caught. Many organizations have adapted to the fact that ransomware exists and have taken precautions by way of protection and by creating easy to deploy backups.

Information about Sodinokibi


In case you are interested in some more background information about the Sodinokibi ransomware we highly recommend these Malwarebytes resources:

Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void

Sodinokibi drops greatest hits collection, and crime is the secret ingredient

Detection profile for Ransom.Sodinokibi

Stay out of their greedy claws, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.