Ransomware Attack on Shinnick & Ryan by Play Ransomware Group

Overview of Shinnick & Ryan

Shinnick & Ryan is a prominent law firm specializing in resolving construction and design deficiency cases for homeowners. With headquarters in San Diego, California, and a secondary office in Phoenix, Arizona, the firm employs between 51-200 people across multiple locations in Arizona, California, Nevada, and New Mexico. The firm has recovered over $100 million for its clients and repaired thousands of homes through litigation and negotiation with developers, subcontractors, and the insurance industry. They are active members of legislative groups like the Community Associations Institute (CAI) and the California Association of Community Managers (CACM) to advocate for homeowner protections.

Details of the Ransomware Attack

Shinnick & Ryan recently fell victim to a ransomware attack orchestrated by the Play ransomware group. The attack compromised a wide array of sensitive data, including private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, and financial information. The breach was announced on Play's dark web leak site, highlighting the severity and scope of the data exfiltration.

About the Play Ransomware Group

The Play ransomware group, operated by Ransom House, is known for its sophisticated attacks targeting Linux systems. Initially linked to the Babuk code, Play ransomware has evolved to target ESXi lockers. The group employs cryptographic lockers and has a unique approach to victim communication, often using verbose ransom notes to provide explicit instructions. Play ransomware actors have been observed using various hack tools and utilities, such as AnyDesk, NetCat, and encoded PowerShell Empire scripts, to achieve initial access and deploy their ransomware.

Potential Vulnerabilities and Penetration Methods

Shinnick & Ryan's extensive handling of sensitive client data and financial information makes them a lucrative target for ransomware groups like Play. The firm's reliance on digital systems for managing legal documents, payroll, and accounting could have provided multiple entry points for the attackers. The Play ransomware group likely exploited vulnerabilities in the firm's network security, possibly through phishing attacks, unpatched software, or weak access controls, to gain initial access and deploy their ransomware.

Sources

• Shinnick & Ryan LLP
• Dun & Bradstreet - Shinnick & Ryan
• ZoomInfo - Shinnick & Ryan LLP
• Datanyze - Shinnick & Ryan
• NeverBounce - Shinnick & Ryan
• SentinelOne - Hypervisor Ransomware
• Sophos News - Ransomware Gangs and the Media
• TechTarget - Ransomware
• UK Parliament - Ransomware Report
• Check Point - Ransomware