Rhysida Ransomware Hits BrownWinick Law Firm in Des Moines Cyberattack

Incident Date:

July 14, 2024

World map

Overview

Title

Rhysida Ransomware Hits BrownWinick Law Firm in Des Moines Cyberattack

Victim

BrownWinick

Attacker

Rhysida

Location

Des Moines, USA

Iowa, USA

First Reported

July 14, 2024

Rhysida Ransomware Group Targets BrownWinick Law Firm in Des Moines

Overview of the Attack

On July 16, 2024, BrownWinick, a prominent law firm based in Des Moines, Iowa, specializing in corporate law, litigation, and intellectual property, fell victim to a ransomware attack orchestrated by the Rhysida Ransomware Group. The extent of the data breach remains undisclosed, but the attack underscores the vulnerabilities faced by legal institutions in protecting sensitive client information.

About BrownWinick

BrownWinick is a full-service law firm established in 1951, known for its comprehensive legal solutions tailored primarily for businesses. The firm offers expertise across various practice areas, including corporate law, litigation, real estate, employment law, taxation, and intellectual property. BrownWinick's client-centric approach and commitment to community engagement distinguish it in the legal industry. The firm has been recognized as a Top Workplace in Iowa for 2023, reflecting its positive work environment and dedication to client service.

Vulnerabilities and Targeting

Legal firms like BrownWinick are attractive targets for ransomware groups due to the sensitive nature of the data they handle, including confidential client information and intellectual property. The firm's extensive use of digital systems for managing legal documents and communications makes it susceptible to cyberattacks. The Rhysida Ransomware Group likely exploited these vulnerabilities to infiltrate BrownWinick's network.

About Rhysida Ransomware Group

The Rhysida Ransomware Group emerged in May 2023 and has since targeted various sectors, including education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and primarily targets Windows operating systems. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida's attacks are characterized by the use of phishing campaigns, valid credentials, and tools like PsExec for lateral movement within victim networks.

Penetration Methods

Rhysida likely penetrated BrownWinick's systems through phishing campaigns or by leveraging valid credentials obtained through unknown means. Once inside the network, the group used net commands and tools like Advance IP/Port Scanner to gather information about the environment. The ransomware was then deployed using Sysinternals tools, encrypting files with the ChaCha20 algorithm and leaving ransom notes in the form of PDF documents named “CriticalBreachDetected.pdf”.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.