Rhysida Ransomware Group Targets BrownWinick Law Firm in Des Moines

Overview of the Attack

On July 16, 2024, BrownWinick, a prominent law firm based in Des Moines, Iowa, specializing in corporate law, litigation, and intellectual property, fell victim to a ransomware attack orchestrated by the Rhysida Ransomware Group. The extent of the data breach remains undisclosed, but the attack underscores the vulnerabilities faced by legal institutions in protecting sensitive client information.

About BrownWinick

BrownWinick is a full-service law firm established in 1951, known for its comprehensive legal solutions tailored primarily for businesses. The firm offers expertise across various practice areas, including corporate law, litigation, real estate, employment law, taxation, and intellectual property. BrownWinick's client-centric approach and commitment to community engagement distinguish it in the legal industry. The firm has been recognized as a Top Workplace in Iowa for 2023, reflecting its positive work environment and dedication to client service.

Vulnerabilities and Targeting

Legal firms like BrownWinick are attractive targets for ransomware groups due to the sensitive nature of the data they handle, including confidential client information and intellectual property. The firm's extensive use of digital systems for managing legal documents and communications makes it susceptible to cyberattacks. The Rhysida Ransomware Group likely exploited these vulnerabilities to infiltrate BrownWinick's network.

About Rhysida Ransomware Group

The Rhysida Ransomware Group emerged in May 2023 and has since targeted various sectors, including education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and primarily targets Windows operating systems. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida's attacks are characterized by the use of phishing campaigns, valid credentials, and tools like PsExec for lateral movement within victim networks.

Penetration Methods

Rhysida likely penetrated BrownWinick's systems through phishing campaigns or by leveraging valid credentials obtained through unknown means. Once inside the network, the group used net commands and tools like Advance IP/Port Scanner to gather information about the environment. The ransomware was then deployed using Sysinternals tools, encrypting files with the ChaCha20 algorithm and leaving ransom notes in the form of PDF documents named “CriticalBreachDetected.pdf”.

Sources

• BrownWinick
• SOCRadar
• Logpoint
• Cyfirma
• Fortinet