Ransomware Attack on New Mexico Public Defender's Office Disrupts Services Statewide

Incident Date:

July 19, 2024

World map

Overview

Title

Ransomware Attack on New Mexico Public Defender's Office Disrupts Services Statewide

Victim

Law Offices of the Public Defender - New Mexico

Attacker

Rhysida

Location

Santa Fe, USA

New Mexico, USA

First Reported

July 19, 2024

Ransomware Attack on Law Offices of the Public Defender - New Mexico

Overview of the Victim

The Law Offices of the Public Defender (LOPD) in New Mexico is the state's largest law firm, dedicated to providing legal representation to low-income individuals facing criminal charges. With 13 district offices and over 400 employees, the LOPD plays a crucial role in ensuring justice and protecting the constitutional rights of New Mexicans. The organization is led by Chief Public Defender Bennett J. Baur and operates with a diverse team that includes attorneys, social workers, investigators, and paralegals. The LOPD also advocates for criminal justice reforms in the New Mexico legislature.

Details of the Attack

In late June, the LOPD fell victim to a ransomware attack orchestrated by the Rhysida group. This breach compromised critical internal records and disrupted communication channels, including the department's email system. As a result, the LOPD had to resort to a newly created Gmail account for communication. Chief Public Defender Ben Baur declared the situation an emergency, emphasizing the need to protect confidential information and restore system functionality. The attack appears to be contained within the department, but enhanced security measures are expected to delay court proceedings statewide.

About the Rhysida Ransomware Group

The Rhysida Ransomware Group emerged in May 2023 and has been targeting sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and primarily targets Windows operating systems. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf.”

Penetration and Impact

Rhysida typically gains initial access through phishing campaigns and leveraging valid credentials. Once inside a network, the group uses tools like Advance IP/Port Scanner and Sysinternals PsExec for lateral movement. In the case of the LOPD, the attack disrupted essential services, forcing the office to adopt alternative communication methods and potentially delaying legal proceedings. This incident highlights the vulnerabilities of public sector organizations to sophisticated ransomware attacks.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.