Ransomware Attack on Baird Mandalas Brockstedt LLC by Akira

Baird Mandalas Brockstedt & Federico, LLC (BMBF), a prominent law firm based in Dover, Delaware, has recently fallen victim to a ransomware attack orchestrated by the notorious Akira group. The attack, discovered on September 6, 2024, has resulted in the exfiltration of approximately 400GB of sensitive data, posing significant risks to the privacy and confidentiality of the firm's clients.

About Baird Mandalas Brockstedt & Federico, LLC

BMBF is a well-established law firm specializing in a diverse range of legal services, including complex personal injury cases, medical malpractice, environmental litigation, and mass torts. The firm has achieved over $1 billion in verdicts and settlements, with notable amounts such as $205 million in environmental settlements and $123 million in sexual abuse cases. The firm employs 63 people and has an annual revenue of $9.4 million, making it a successful mid-sized law firm with a strong financial foundation.

Attack Overview

The ransomware attack by Akira has led to the exfiltration of a vast array of personal client data, including birth and death certificates, passports, Social Security Numbers (SSNs), court hearings, and evidentiary documents. The compromised information poses a significant risk to the privacy and confidentiality of the law firm's clients. The attack highlights the vulnerabilities in the firm's cybersecurity measures, which were exploited by the threat actors to gain access to sensitive data.

About Akira Ransomware Group

Akira is a ransomware group that emerged in March 2023 and has quickly established itself as a significant threat in the cybersecurity landscape. The group operates using a double-extortion model, involving both data encryption and data theft. Akira typically appends the .akira extension to encrypted files and has been associated with tactics similar to those used by the notorious Conti ransomware group. The group often gains initial access through compromised credentials, exploiting vulnerabilities in public-facing services, or via phishing attacks.

Penetration Methods

Akira employs various tactics to infiltrate and operate within victim networks, including exploiting weak multi-factor authentication (MFA) and known vulnerabilities in VPNs, particularly targeting Cisco devices. The group uses tools like RDP, PowerShell, and credential dumping tools to navigate through networks and exfiltrate data before encryption occurs. The ransomware uses a combination of ChaCha20 and RSA algorithms for file encryption, while also deleting shadow copies to hinder recovery efforts.

Sources

• Baird Mandalas Brockstedt & Federico, LLC
• CISA Cybersecurity Advisories
• ThreatDown Blog