Ransomware Attack on Kronick Moskovitz Tiedemann & Girard by Rhysida

Kronick Moskovitz Tiedemann & Girard (KMTG), a prominent law firm based in Sacramento, California, has fallen victim to a ransomware attack orchestrated by the Rhysida ransomware group. The attack was discovered on August 23, and the threat actors have threatened to publish the firm's data within the next 6-7 days.

About Kronick Moskovitz Tiedemann & Girard

KMTG is a full-service law firm known for its comprehensive legal services tailored to both public and private sector clients. The firm specializes in various practice areas, including labor and employment law, business services, administrative law, real estate law, and public law. With approximately 80 employees and an annual revenue of around $17.2 million, KMTG has built a reputation for effectively representing local governments, public agencies, and private businesses across California.

What sets KMTG apart is its extensive experience and expertise in water law and related resource issues, which is crucial given California's unique environmental challenges. This specialization, combined with a diverse practice portfolio, positions the firm as a key player in the legal landscape of the state.

Attack Overview

The Rhysida ransomware group has claimed responsibility for the attack on KMTG via their dark web leak site. The group has already posted sample screenshots of the compromised data, although the exact size of the data leak remains unknown. The attack has put KMTG at significant operational and reputational risk as it navigates this cybersecurity crisis.

About Rhysida Ransomware Group

The Rhysida Ransomware Group is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and specifically targets the Windows Operating System. The group employs a double extortion technique, stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid.

Rhysida's ransomware is a 64-bit Portable Executable (PE) Windows cryptographic ransomware application compiled using MINGW/GCC. The ransomware uses a 4096-bit RSA key with the ChaCha20 algorithm for encryption. The ransom notes are generated as PDF documents named “CriticalBreachDetected.pdf” and are saved within the affected folders on the targeted drives.

Potential Vulnerabilities

Rhysida primarily relies on leveraging valid credentials and establishing network connections through VPN for initial access. The group employs net commands and tools like Advance IP/Port Scanner to enumerate victim environments and gather critical information about domains. They also use Sysinternals tools like PsExec to deploy ransomware on target systems for lateral movement. The exact method of how Rhysida penetrated KMTG's systems is still under investigation, but it is likely that phishing campaigns and exploitation of valid credentials played a role.

• KMTG Official Website
• KMTG LinkedIn
• SOCRadar - Rhysida Ransomware
• Logpoint - Rhysida Activities
• Fortinet - Rhysida Ransomware