Threat Watch

Law Firm for Major Entertainment Celebrities Compromised by Sodinokibi Ransomware

Sodinokibi: The law firm of Grubman Shire Meiselas & Sacks was recently compromised by the threat group behind Sodikonibi (also known as REvil) ransomware, resulting in the theft of 756 Gb of data. Some of the data belonged to the law firm itself—the rest directly impacts its clients, which includes some of the biggest names in entertainment. Currently, Sodikonibi is asking the law firm for $21 million to keep from releasing the data. According to the group’s website, the stolen data includes contracts, telephone numbers, emails, personal correspondence, Non-Disclosure Agreements (NDAs), and “more.”  In the initial posting, the group shared a scan of documents related to Madonna’s world tour which also included the Social Security number for the representative of Madonna who signed the document. The group has also released 2.4 Gb of data belonging to Lady Gaga. Along with the data, the group posted a message stating that, “The sponsor of this information is the company Coveware and their greed” and that they will “be back soon.” While no further explanation of this statement has been made by either the hackers or the victim, this is likely an indication that Coveware, a ransomware recovery service, is assisting the law firm in their recovery and that negotiations with the hackers have not been progressing well.

ANALYST NOTES

It is becoming evident that ransomware attacks must now be treated as data breaches as ransomware operators continue to threaten to release the data of their victims. With the number of high-profile clients that the law firm services, it is unlikely that Sodikonibi will give up on this one easily. When responding to a ransomware attack, quick recognition and response is vital. The sooner that an attack can be recognized and contained, the less damage that can be caused. Endpoint Detection and Response (EDR) can assist in the quick recognition of intrusions before they are able to spread throughout a victim’s network. Quick detection of an intrusion will allow fast and effective response, such as isolating the impacted devices, but it only provides value if a security operations center is monitoring alerts 24-hours a day, every day to respond at the first signs of attack . More information on this incident can be found at: https://pagesix.com/2020/05/12/allen-grubmans-client-files-hacked-and-held-for-ransom/