The REvil/Sodinokibi ransomware hackers that struck celebrity law firm Grubman, Shire, Meiselas and Sacks and threatened to release information on clients like Lady Gaga and Madonna as well as President Trump likely exploited an unpatched Citrix vulnerability, and have now turned their sights to a major food company, Sherwood Forest and Harvest Distributors.

“…Sherwood has been aware of and dealing with this attack for over a week, although it had not gone public, according to researchers at DarkOwl, who said the attackers posted a notice online Friday threatening to download eight of the company’s proprietary files as a preview of releases to come. The first link contains around 2,300 files.

“These files contain highly sensitive data including cash-flow analysis, sub-distributor info, detailed insurance information, proprietary vendor information – including that of Kroger, Albertsons, Sprouts – scanned drivers license images for drivers in their distribution networks, etc.,” the researchers said in a blog post.

The REvil attackers have recently upped their activity, striking a variety of targets from travel companies to dentist offices. Last week, they published some files on Lady Gaga and Christina Aguilera and doubled the ransom request for Grubman’s files to $42 million and threatened to release damaging information on President Trump.

Despite the escalating threats, Grubman has said it would not pay the ransom, noting in a statement that the FBI and cyber experts advise that “negotiating with or paying ransom to terrorists is a violation of federal criminal law.”

Referring to the attack as terrorism is curious, considering that to date no ransomware attack has been classified as a terrorist act, though threatening to release information on the president may have prompted federal investigators to reclassify it as such, a security researcher last week told SC Media. That researcher said the attackers may have shot themselves in the foot by mentioning Trump and would no longer be unable to collect the ransom, though it probably increased the likelihood they will publish or auction the data.

Despite the law firm’s claim to have made a “substantial investment in state-of-the-art technology security,” it seems it let a Pulse Secure VPN security vulnerability – CVE-2019-11510, affecting Citrix products and exploited in the past by the REvil/Sodinokibi attackers – go unpatched for at least six months after an update was provided.

Grubman and Sherwood share at least one connection: Both used the services of Coveware to mitigate their attacks, DarkOwl said, pointing to a conversation the attackers had with Coveware that was included in their first Sherwood data dump.

“While the threat actors only posted Coveware’s side of the conversation, it is clear that Coveware attempted to negotiate by acting as a middleman between Sherwood, their board and the attackers,” DarkOwl said. “Also of note is that Grubman…also utilized Coveware’s services, which is worth keeping in mind considering these two are supposedly unrelated companies/targets.”