donutleaks attacks Sheppard Robson

Incident Date:

August 24, 2022

World map



donutleaks attacks Sheppard Robson


Sheppard Robson




London, United Kingdom

England, United Kingdom

First Reported

August 24, 2022

Sheppard Robson Suffers Ransomware Attack by Donut Leaks Group

Sheppard Robson, a prominent UK-based architectural firm, recently fell victim to a ransomware attack orchestrated by the Donut Leaks group. This incident was publicly disclosed by the firm on August 4, 2022, via a LinkedIn announcement. As the fifth largest architectural practice in the UK, Sheppard Robson employs 374 staff across its offices in Manchester, Glasgow, and London. The firm is well-regarded in the construction sector for its commitment to innovative and sustainable design solutions.

The cyberattack led to the disconnection of the company's systems from the internet, forcing Sheppard Robson to undertake measures to regain access to its servers. Despite the attackers' demands for a ransom, Sheppard Robson chose not to comply and instead reported the incident to law enforcement. This situation underscores the escalating threat of cyberattacks in an era where businesses increasingly adopt hybrid working models, thereby intensifying the demands on cybersecurity frameworks.

The Modus Operandi of Donut Leaks

The Donut Leaks group, notorious for its data extortion schemes, has been implicated in several recent ransomware attacks targeting entities such as the Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and the multinational construction company Sando. The group is reported to have leaked around 2.8 TB of data stolen from these organizations. It remains ambiguous whether Donut Leaks employs ransomware in its operations or if its activities are exclusively centered around data extortion.

Implications for Cybersecurity in Hybrid Work Environments

The susceptibility of Sheppard Robson to this ransomware attack can be partly attributed to the firm's increased reliance on digital infrastructures and the inherent challenges of upholding stringent cybersecurity measures in a hybrid work setting. Despite possessing government-endorsed security protocols and certifications, the firm's defenses were breached, highlighting the sophisticated nature of modern cyber threats.

This incident acts as a cautionary tale for businesses, emphasizing the importance of maintaining vigilance against cyber threats and establishing comprehensive strategies for mitigating and recovering from potential cyberattacks.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.