Shinnick & Ryan Law Firm Hit by Play Ransomware, Sensitive Data Compromised

Incident Date:

June 12, 2024

World map

Overview

Title

Shinnick & Ryan Law Firm Hit by Play Ransomware, Sensitive Data Compromised

Victim

Shinnick & Ryan

Attacker

Play

Location

Phoenix, USA

Arizona, USA

First Reported

June 12, 2024

Ransomware Attack on Shinnick & Ryan by Play Ransomware Group

Overview of Shinnick & Ryan

Shinnick & Ryan is a prominent law firm specializing in resolving construction and design deficiency cases for homeowners. With headquarters in San Diego, California, and a secondary office in Phoenix, Arizona, the firm employs between 51-200 people across multiple locations in Arizona, California, Nevada, and New Mexico. The firm has recovered over $100 million for its clients and repaired thousands of homes through litigation and negotiation with developers, subcontractors, and the insurance industry. They are active members of legislative groups like the Community Associations Institute (CAI) and the California Association of Community Managers (CACM) to advocate for homeowner protections.

Details of the Ransomware Attack

Shinnick & Ryan recently fell victim to a ransomware attack orchestrated by the Play ransomware group. The attack compromised a wide array of sensitive data, including private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, and financial information. The breach was announced on Play's dark web leak site, highlighting the severity and scope of the data exfiltration.

About the Play Ransomware Group

The Play ransomware group, operated by Ransom House, is known for its sophisticated attacks targeting Linux systems. Initially linked to the Babuk code, Play ransomware has evolved to target ESXi lockers. The group employs cryptographic lockers and has a unique approach to victim communication, often using verbose ransom notes to provide explicit instructions. Play ransomware actors have been observed using various hack tools and utilities, such as AnyDesk, NetCat, and encoded PowerShell Empire scripts, to achieve initial access and deploy their ransomware.

Potential Vulnerabilities and Penetration Methods

Shinnick & Ryan's extensive handling of sensitive client data and financial information makes them a lucrative target for ransomware groups like Play. The firm's reliance on digital systems for managing legal documents, payroll, and accounting could have provided multiple entry points for the attackers. The Play ransomware group likely exploited vulnerabilities in the firm's network security, possibly through phishing attacks, unpatched software, or weak access controls, to gain initial access and deploy their ransomware.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.