Ransomware Attack on Swiss Law Firm Walder Wyss by Play Group

Incident Date:

June 13, 2024

World map

Overview

Title

Ransomware Attack on Swiss Law Firm Walder Wyss by Play Group

Victim

Walder Wyss and Partners

Attacker

Play

Location

Zürich, Switzerland

, Switzerland

First Reported

June 13, 2024

Ransomware Attack on Walder Wyss and Partners by Play Group

Overview of Walder Wyss and Partners

Walder Wyss and Partners is a leading Swiss law firm, renowned for its comprehensive legal services across various sectors. Founded in 1973, the firm employs over 250 legal experts and operates from six locations across Switzerland. They specialize in corporate and commercial law, banking and finance, intellectual property, dispute resolution, and tax law. Their dynamic market presence and high-quality services make them a prominent player in the legal industry.

Details of the Ransomware Attack

The ransomware group Play has claimed responsibility for a cyberattack on Walder Wyss and Partners. The attack compromised private and confidential data, including client documents, budget, payroll, accounting, contracts, taxes, IDs, and financial information. The breach was announced on Play's dark web leak site, highlighting the significant impact on the firm's operations and client trust.

About the Play Ransomware Group

Play ransomware is a variant linked to the Babuk code, known for targeting Linux systems. Operated by Ransom House, Play ransomware initially focused on data theft but has evolved to deploy cryptographic lockers. The group is distinguished by its use of Sosemanuk encryption and a verbose ransom note providing explicit instructions to victims. Play ransomware actors often use various hack tools and utilities, such as AnyDesk and NetCat, to achieve initial access and execute their attacks.

Potential Vulnerabilities and Penetration Methods

Walder Wyss and Partners, like many law firms, handle vast amounts of sensitive data, making them attractive targets for ransomware groups. The firm's extensive digital footprint and the critical nature of their services may have contributed to their vulnerability. Play ransomware could have penetrated the firm's systems through phishing attacks, exploiting unpatched software vulnerabilities, or leveraging weak network security protocols.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.