Grubman Shire Hack: REvil Scores a Blackmail Slam Dunk
How much is basketball megastar Lebron James brand worth to hackers?
When you calculate it, Lebron’s name earns him more than his game. And to the cybercriminals who orchestrated the Grubman Shire Hack, that kind of payday is worth jumping through some hoops.
Consider what James makes off of his reputation alone, including endorsement deals with Nike, Coke, Beats and others: $55 million/year in endorsements vs. $37 million/year to play ball, to be exact. Yes, those sponsorship deals hinge on his superiority at basketball, but would be worth little if they weren’t backed by a stellar reputation. Just ask Tiger Woods, who lost most of his earning potential when his reputation crashed into a distasteful sex scandal.
Because James’ reputation is his greatest financial asset, you can imagine the court lengths he goes to in order to defend it. For this reason, celebrities tend to be uber private with their personal lives – homes that are more like secret compounds, contracts and non-disclosure agreements (NDAs) to legally shield sensitive information, sophisticated data security tools to protect digital assets and most relevant to our discussion today, high-priced lawyers to handle all of the highly-confidential details.
But Lebron James didn’t get hacked.
His lawyers did. And with them, his highly-confidential, potentially damaging details. Grubman Shire Meiselas & Sacks, a high-powered law firm to the stars, also had the contracts, NDAs (ironic!), home addresses, mobile numbers, private emails and correspondence of Lady Gaga, Madonna, Bruce Springsteen, Cam Newton and yes, even Run DMC, electronically hijacked as well. I can just picture the hackers, adorned in parachute pants, chanting the lyrics: “CAN touch this!”
The ransomware crime ring known as REvil (Are Evil) demanded a $42 million payoff after the Grubman Shire hack to NOT expose the data on all of its clients. So Grubman Shire had the unenviable job of choosing to lose $42 million overnight versus the much more expensive and long-term cost of watching disgruntled superstars take the bench because of the breach.
But the attorneys clearly have to take responsibility and pay up for the Grubman Shire hack.
It was beyond question that Grubman Shire, like many companies before them, would pay the ransom to robustly defend the incredibly sensitive data, not to mention their profitable relationships, with their best “players”.
But they didn’t.
The law firm chose not to pay the ransom and thumbed their nose at the cybercriminals. I’m not sure how Lebron and the Lady felt about that, but the decision was wise, because even if you pay their demands, you’ve only secured a pinkie promise from a dishonest criminal; who’s to say that they won’t expose the data after they’ve cashed the Bitcoin? Steal, extort and share is the latest Dark Web craze.
So which secrets of Lebron’s were inevitably exposed?
None (yet), because the hackers weren’t done with their game. Remember, REvil’s goal is to make money, not to give away the product of their work for free. So they took their demands directly to the stars, baiting them with ugly consequences…
“Show business is not [just] concerts and love of fans only. Also, it is big money and social manipulation, mud lurking behind the scenes and sexual scandals, drugs and treachery.”
The hacking group, also known as Sodinokibi, were upping the stakes, threatening to expose lurid details that could defeat even the most popular of athletes.
In doing so, REvil added a new twist to the old ransom game – they divided the information into files about individual celebrities and listed them for sale on an Internet auction to the highest bidder. It was like Southby’s for Scammers.
Now Lebron, Bette Midler and The Boss were the masters of their own fate, simply needing to hand over $600,000 to $1 million each via cryptocurrency to keep their private data private.
What did Lebron pay? Lady Gaga, Mariah Carey and Mr. DMC? That’s the problem with cyber blackmail – we never get to know the outcome, because no one in their right mind admits to being successfully blackmailed, extorted, and humiliated, for fear of attracting copycats. We will never know if they paid or what they paid.
Clearly, none of the celebrities were at fault, and had little control over the situation, so what’s the point? There are three:
- You always have some control over the situation, but by the time your business data is hacked, it’s too late to keep it from being exposed.
- Preventing a cyber intrusion before it happens has the greatest ROI.
- Most specifically, your organization MUST immediately vet the security measures of all 3rd parties who have access to your sensitive information. This is especially true for organizations that store sensitive data on cloud servers, deploy 3rd-party software apps or utilize outside vendors like lawyers and accountants (with potentially lax security postures).
Island hopping, which means gaining access into one entity’s systems in order to exploit the downstream systems of their constituents (clients, vendors, employees, voters), is the name of the latest cybercrime game, and it is quickly coming to an arena near you.
What secrets would ransomware gangs go after in your business, and in the systems that support your partners? What’s your brand worth and how much should you spend to protect it? Because, for the record, most corporate reputations are worth far more than Lebron James’.
John Sileo is a cybersecurity expert, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and around the world and is the CEO of The Sileo Group, a technology think tank based in Colorado.