{
	"id": "3036bbe5-be66-40d9-8309-cf0faa24325e",
	"created_at": "2026-04-06T00:17:07.700448Z",
	"updated_at": "2026-04-10T03:21:56.550349Z",
	"deleted_at": null,
	"sha1_hash": "a3681dc39eccb8c8cf40907dde96edd80b3a8ebb",
	"title": "REvil ransomware creates eBay-like auction site for stolen data",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2173705,
	"plain_text": "REvil ransomware creates eBay-like auction site for stolen data\r\nBy Lawrence Abrams\r\nPublished: 2020-06-02 · Archived: 2026-04-05 14:49:18 UTC\r\nThe operators of the REvil ransomware have launched a new auction site used to sell victim's stolen data to the highest\r\nbidder.\r\nREvil, otherwise known as Sodinokibi, is a ransomware operation that breaches corporate networks using exposed remote\r\ndesktop services, spam, exploits, and hacked Managed Service Providers.\r\nOnce established on a network, they quietly spread laterally through the company while stealing unencrypted data from\r\nworkstations and exposed servers.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nWhen they gain administrative access to a domain controller, they proceed to deploy the ransomware to encrypt all of the\r\ncomputers on the network.\r\nEarlier this year, the REvil operators released a data leak site that is used to publish a victim's data if a ransom is not paid.\r\nNamed the 'Happy Blog,' the ransomware gang uses the site to post samples of the stolen data and then threaten to release\r\nthe actual files.\r\nREvil data leak site\r\nHistorically, after a few days, the ransomware operators post a link to the stolen data so that other threat actors can use it for\r\nfree.\r\nStolen data auctioned to the highest bidder\r\nIn May, REvil started leaking the data for the celebrity law firm Grubman Shire Meiselas \u0026 Sacks (GSMLaw) after a\r\nransom was not paid.\r\nAs part of these leaks, the ransomware gang claimed to have data about President Trump and auctioned it with a starting\r\nprice of $1,000,000.\r\nThey later claimed to have sold the President's data and warned that they would auction data belonging to Madonna in the\r\nfuture.\r\nTo continue generating revenue when a victim does not pay, the REvil operators have launched a new section on their data\r\nleak site used to conduct auctions.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nPage 3 of 6\n\nNew REvil auction site\r\nCurrently, the ransomware operators are auctioning off the stolen data for two companies.\r\nThe first is a U.S. food distributor whose auctioned data has a starting price of $100,000 but can be bought immediately at a\r\n\"Blitz price\" of $200,000.\r\nThe second victim is a Canadian agricultural company whose auction starts at $50,000 and has a buy now of $100,000.\r\nTo bid on an auction, bidders must agree to the following rules.\r\nTo bid on an auction, you must register for each auction separately.\r\nAfter registration, you will need to make a deposit of 10% of the starting price. At the end of the auction the amount will be\r\nrefunded (except for blockchain commission).\r\nIf you have not paid your bid on the winning auction, you will lose your deposit. This is to ensure that none of the bidders\r\nmake fake bids.\r\nAll computational operations are performed in the cryptocurrency Monero (XMR).\r\nBy clicking Continue you confirm that you agree to the terms above. You will be given a username/password and details of\r\ndeposit payment.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nPage 4 of 6\n\nBidding interface\r\nIn their auction site announcement, the operators hinted that other auctions are coming soon with the statement, \"And we\r\nremember the Madonna and other people. Soon.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/revil-ransomware-creates-ebay-like-auction-site-for-stolen-data/"
	],
	"report_names": [
		"revil-ransomware-creates-ebay-like-auction-site-for-stolen-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434627,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a3681dc39eccb8c8cf40907dde96edd80b3a8ebb.pdf",
		"text": "https://archive.orkl.eu/a3681dc39eccb8c8cf40907dde96edd80b3a8ebb.txt",
		"img": "https://archive.orkl.eu/a3681dc39eccb8c8cf40907dde96edd80b3a8ebb.jpg"
	}
}