International law firm Seyfarth Shaw announced on Monday that it was the victim of a ransomware attack over the weekend.
With more than 900 lawyers in 17 offices in America, Europe, and the Asia Pacific regions, the company made over $700 million in gross revenue last year, placing it in the lower half of the top 100 highest-grossing law firm in the world.
The incident occurred on Saturday, with the company describing it as a “sophisticated and aggressive malware attack.” The timing is typical for cyber attacks, ransomware in particular, as companies have fewer employees working weekends.
In its notification about the attack, Seyfarth Shaw says that as far as they know, “a number of other entities were simultaneously hit with this same attack.”
The company states that its monitoring systems caught the unauthorized activity and the IT department was quick to stop the spread.
These steps did not prevent the file encryption routine from being deployed to “many of our systems.” As a precaution, encrypted computers have been shut down.
“Our clients remain our top priority, and we will continue to do everything necessary to protect their confidential information and continue to serve them. We are coordinating with the FBI and are working around the clock to bring our systems back online as quickly and safely as possible” – Seyfarth Shaw
It is unclear how damaging this attack is, but Seyfarth Shaw says that they did not find evidence that the attackers accessed or stole client or company data.
Seyfarth Shaw announced that their email system is currently down but the phone system continues to function. Reaching out to the law firm over the internet is still possible, through a contact form.
BleepingComputer reached out to Seyfarth Shaw for more information about the attack. A company representative replied from their personal email address saying that they have no additional information to offer at this time.
Ransomware and data theft risk
After gaining access to the network, ransomware operators typically spend some time running reconnaissance and move laterally to the most valuable machines (servers, backups).
It could pass weeks since obtaining initial access until they move to encrypt computers. During this period, most ransomware attackers steal unencrypted data.
The information is often used as leverage to force the victim to pay the ransom under the threat of leaking it to the public. This tactic was first seen with Maze ransomware in November 2019 and has been adopted by more and more groups in the ransomware business.
BleepingComputer knows of 19 ransomware gangs that currently steal data from their victims and threaten to release it to the public unless their demands are met.
From these, 16 have a dedicated site advertising stolen data and offering it for free or setting up auctions to sell it to the highest bidder. Sometimes, they sell the data on cybercriminal forums.
Case in point: In June, REvil ransomware gang published an auction site for data stolen from celebrity law firm Grubman Shire Meiselas & Sacks (GSMLaw). This move came after the law firm refused to pay a $42 million ransom (initially $21 million). Before this, in May, they were leaking some documents related to the company’s clients.