Baird Mandalas Brockstedt LLC Hit by Akira Ransomware Attack

Incident Date:

September 5, 2024

World map

Overview

Title

Baird Mandalas Brockstedt LLC Hit by Akira Ransomware Attack

Victim

Baird Mandalas Brockstedt LLC

Attacker

Akira

Location

Dover, USA

Delaware, USA

First Reported

September 5, 2024

Ransomware Attack on Baird Mandalas Brockstedt LLC by Akira

Baird Mandalas Brockstedt & Federico, LLC (BMBF), a prominent law firm based in Dover, Delaware, has recently fallen victim to a ransomware attack orchestrated by the notorious Akira group. The attack, discovered on September 6, 2024, has resulted in the exfiltration of approximately 400GB of sensitive data, posing significant risks to the privacy and confidentiality of the firm's clients.

About Baird Mandalas Brockstedt & Federico, LLC

BMBF is a well-established law firm specializing in a diverse range of legal services, including complex personal injury cases, medical malpractice, environmental litigation, and mass torts. The firm has achieved over $1 billion in verdicts and settlements, with notable amounts such as $205 million in environmental settlements and $123 million in sexual abuse cases. The firm employs 63 people and has an annual revenue of $9.4 million, making it a successful mid-sized law firm with a strong financial foundation.

Attack Overview

The ransomware attack by Akira has led to the exfiltration of a vast array of personal client data, including birth and death certificates, passports, Social Security Numbers (SSNs), court hearings, and evidentiary documents. The compromised information poses a significant risk to the privacy and confidentiality of the law firm's clients. The attack highlights the vulnerabilities in the firm's cybersecurity measures, which were exploited by the threat actors to gain access to sensitive data.

About Akira Ransomware Group

Akira is a ransomware group that emerged in March 2023 and has quickly established itself as a significant threat in the cybersecurity landscape. The group operates using a double-extortion model, involving both data encryption and data theft. Akira typically appends the .akira extension to encrypted files and has been associated with tactics similar to those used by the notorious Conti ransomware group. The group often gains initial access through compromised credentials, exploiting vulnerabilities in public-facing services, or via phishing attacks.

Penetration Methods

Akira employs various tactics to infiltrate and operate within victim networks, including exploiting weak multi-factor authentication (MFA) and known vulnerabilities in VPNs, particularly targeting Cisco devices. The group uses tools like RDP, PowerShell, and credential dumping tools to navigate through networks and exfiltrate data before encryption occurs. The ransomware uses a combination of ChaCha20 and RSA algorithms for file encryption, while also deleting shadow copies to hinder recovery efforts.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.