Yet another victim of a ransomware group who decides to pay the ransom, in exchange for the promise that their data will not be published or sold. This time it is the Buckley King LPA law firm in Cleveland in the US state of Ohio that pays the price.
According to a report compiled by Zippia Inc., the Buckley King LPA law firm, with four other operating offices in the cities of Atlanta, Dayton, Naples and Phoenix, in 2022 would have generated a revenue of approximately $8M
Last April the BlackBasta gang managed to enter the law firm’s IT network thanks to social engineering, an employee of the Buckley King LPA allegedly executed an infected attachment present in an e-mail. This is what a BlackBasta affiliate says in the trading chat
…Your network has been compromised by mailing of messages to the emails with malicious attachments.
The chat begins with the Buckley King LPA negotiator introducing himself as an administrator appointed by the law firm to lead the negotiations
Im an admin. I was assigned to communicate with you.
Affiliate BlackBasta replies that the data has been encrypted and that the group is in possession of 110 GB of sensitive corporate data exfiltrated during the attack on the Buckley King LPA’s IT systems. It sets the maximum deadline for the negotiations in 10 days and the price of $ 400,000 as a ransom to obtain the decryptor, the deletion of the data downloaded from the company servers and a “security report” which will list the method that allowed access to the systems IT, also the solutions to be adopted to correct network vulnerabilities.
[…] We’ve downloaded over 110GB of a sensitive information and data from your network[…]
[…] However, if we don’t come to an agreement within 10 days, it’ll be posted on our news board[…]
[…] Decryption price is $400,000. In case of successful negotiations we guarantee you will get:
1) Decryptor for all your Windows machines;
2) Non recoverable removal of all downloaded data from our side;
3) Security report on how you were hacked to fix your vulnerabilities and avoid such situations in future[…]
After a week of chat messages, the Cleveland law firm’s negotiator writes that Buckley King LPA is willing to pay $39,250 the offer is deemed unacceptable by affiliate BlackBasta and is declined.
Are you seriously? This is an unacceptable offer. We will not even turn our heads in your direction for such a meager amount. Increase it
The following day BlackBasta tries to pressure Buckley King LPA and writes
We also want to remind you that you have a lot of critical data, a lot of personal data of your employees and customers, copies of passports and driver’s license ([REDACTED], [REDACTED], [REDACTED], [REDACTED], [REDACTED] and many others), their SSN, DOB, addresses and phone numbers, your NDA, confidential agreements, financial documents and other documents can be used for bad purposes, loans, etc. Darknet users know how to do this. Therefore, we suggest you to think better and make the worthy offer.
A second offer of $44,990 is made by the negotiator on behalf of the top management of the law firm, the offer is rejected again by the affiliate who instead sets a new, non-negotiable ransom at $150,000
Buckley King LPA law firm accepts the new ransom price and asks for the bitcoin wallet ID of the ransomware group to deposit the money
Leadership is prepared to accept your offer of $150,000 with all fees included. […] Please send us your bitcoin wallet ID so we can proceed with payment.
In the message sent by the negotiator there are some (paradoxical) conditions that BlackBasta must guarantee before receiving the ransom payment. Requests that, in practice, make no sense except to feel (perhaps) at peace with one’s conscience and convince oneself of something that no one can ever guarantee, even less if the promise is made by a member of a gang .
[…] This would include a working decryptor with any assistance we may need with it, proof and assurance that all our data has been removed from your systems, deleted, not copied or transferred elsewhere, and with the promise not to ask for any additional money for anything after payment is received, a detailed explanation of why we were targeted and how you got into our systems, and the promise to never attack us again[…]
Below is the (obvious) response from the affiliate
Okay. We confirm all points. Our BTC wallet is [REDACTED]
6 bitcoins (161,574.00 USD) is the total amount of the transaction, but 5.41537733 bitcoins (145,830.70 $) are deposited in the wallet indicated by the gang, while 0.58457449 bitcoins (15,742.01 $) have been transferred to another wallet. Transactions are confirmed May 15, 2023 7:01 PM UTC
During the chat the affiliate of the BlackBasta gang sends the file tree as proof. A text file with over 230,000 directories and more than 760,000 files from which it is possible to get an idea of the enormous amount of data, many of which sensitive, stolen from the law firm.
SuspectFile was able to read this file and can tell that there are documents from companies with which the law firm has had an employment relationship, copies of passports, e-mails and documents attributable to Buckley King LPA lawyers
BlackBasta sends a last message in the chat listing the procedure to decrypt the files and the measures to be taken to improve the security of the Buckley King LPA IT network.
We want to remind you that for weeks at least 110 GB of sensitive data have been in the hands of a group of cybercriminals, we also remind you that among these documents there were also copies of passports, SSNs and private documents of Buckley King LPA customers.
Prior to publication of this article, we sent two emails to five attorneys at the law firm and the Head of Media Contact at Buckley King LPA asking for a statement on the matter, as we could not find any press releases on the company website explaining what happened. At the moment no response has been sent to SuspectFile.