The ransomware gang that stole almost 1 terabyte of legal secrets from the biggest names in the entertainment industry is now demanding $42 million in cryptocurrency or else it will expose United States President Donald Trump's “dirty laundry.”

The gang has already released a 2-gigabyte trove of legal documents marked "Lady Gaga" and fired the link to media outlets including Cointelegraph, which broke the news last week about the attack on New York law firm Grubman Shire Meiselas & Sacks.

The law firm has clients that include Elton John, Robert DeNiro and Madonna. The gang hacked and encrypted the firm’s server, stealing 756 GB of data on confidential contracts, telephone numbers, email addresses, personal correspondence, nondisclosure agreements and more. The company has so far refused to pay up. 

Doubling down

The REvil ransomware group — also known as Sodinokibi — posted a new message on May 14 that said they were doubling their original ransom and using dirt on Trump as leverage: “The next person we’ll be publishing is Donald Trump. There’s an election going on, and we found a ton of dirty laundry on time.”

Addressing Trump directly, REvil recommended he “poke a sharp stick at the guys” (referring to the law firm) within a week if he wanted to remain president. And to the voters: “We can let you know that after such a publication, you certainly [won’t] want to see him as president.”

The attackers have threatened to release the stolen data in nine staged releases unless their demands for a ransom are met by the firm. The ransomware gang prefers to be paid in Monero, but also accepts Bitcoin for a higher fee.

It’s unclear what link Trump has to the firm, as he’s not believed to have ever been a client.

Response from the law firm

According to the New York Post, Grubman is refusing to negotiate with the hackers, despite their threats to “destroy [the law firm] down to the ground if [they] don’t see the money.” He believes the hackers may release the documents even if he does pay, and the Federal Bureau of Investigation considers the hack an act of terrorism. The U.S. famously does not negotiate with terrorists.

Brett Callow of information security firm Emsisoft described the ransom as “one of the largest demands ever heard” and echoed Grubman’s sentiment:

“Companies in this situation have no good options available... Even if they pay the ransom demand, there is no guarantee the criminals will destroy the stolen data if it has a high market value. The data may still be sold or traded... In these cases, it’s possible that the criminals will attempt to extort money directly from the people whose information was exposed.”