Exclusive – Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 1

The Singapore-based law firm Shook Lin & Bok has paid a ransom of $1.4 million in bitcoin to the Akira ransomware group.

In the article, we will also reveal the main BTC wallet that Akira uses for its money laundering operations. The current wallet balance exceeds $1.2 million (19.79399012 BTC) with 161 transactions, totaling nearly $200 million transacted through this account, a figure 4.5 times higher than the actual money flow previously estimated from Akira. 

After a week of negotiations with the ransomware group’s negotiator, and an initial ransom demand of $2 million, on April 24th, Shook Lin & Bok, within the negotiation chat of the Akira group, agreed to pay a ransom of $1.4 million in bitcoin to obtain decryption keys for their ESXi virtualization platforms.

SuspectFile.com has been able to monitor, in real-time, all phases of the negotiation between the victim and Akira.

A first payment of 0.01477521BTC $942.16, referred to by the two negotiators as a “test payment,” was sent at 03:55:12 GMT+2 on April 24th from the Shook Lin & Bok BTC wallet bc1q[EDITED]2fwz.

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 2

Screenshot and redaction by SuspectFile.com

 

Two additional payments are made, each 90 minutes apart. The first is for $671,806 (10.53501762BTC) at 04:31:20 GMT+2, and the second is for $670,731 (10.52024242BTC) at 06:02:31 GMT+2, both on the same day, totaling 21.07 BTC.

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 3
Screenshot and redaction by SuspectFile.com

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 4

Screenshot and redaction by SuspectFile.com

 

Six minutes after the last installment was paid, Akira proceeded to empty its BTC wallet.

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 5

Screenshot and redaction by SuspectFile.com

 

The entire ransom amount was transferred to a “bridge” BTC wallet and from there to their main wallet, where we’ve seen nearly $197 million pass through to date. However, we’ll analyze these details later.

The chat begins with the individual from Shook Lin & Bok (You) asking the Akira negotiator (We) why they had never responded to their emails. Akira responds that the only secure channel for negotiations is their chat. But what they claim doesn’t match the reality… evidently.

You: This is [EDITED]. You did not reply to my emails for a long time

We: We have responded that we can communicate in this chat only. It is secured.

Akira provides the victim with the file tree (listing.7z).

We: These files were taken from your network prior to encryption. You can pick 2-3 random files up to 10 MB each from the list and we will upload them to this chat as a proof of possession. To prove that we can properly decrypt your data you can upload 2-3 encrypted files up to 10 MB each to our chat and we will upload decrypted copies back.

[…] Let me know whether you’re interested in a whole deal or in parts. This will affect the final price.
If we don’t get a respond within next 24 hours, we will be forced to announce your corporate data leak on our blog.

You: We will download examine the files to verify they all belong to us. This might take longer than 24 hours as our IT team is very busy. Please be very patient with us. 

The individual from Shook Lin & Bok informs the ransomware group that they are only interested in decrypting the files. After uploading 5 encrypted files with the .akira extension to the chat, they inquire about the price to obtain the decryptor.

You: If you annouce our name or release any data on any blog. There will not be any deal.

We are only interested in decryption.

[…]

Below, we list the names of the 5 encrypted files sent by the victim.

  •  j50.log.akira
  • SSMC-Hyper-V-Installer.ps1.akira
  • j50tmp.log.akira
  • 7518CD43-099C-4261-892E-8CA77FD4C62B.vmcx.akira
  • 63B53694.vhdx.mrt.akira

Akira decrypts the files.

We: Please wait for the files.

decrypted.7z

You can review the files.

So, we’ve gone through your files to define your financial abilities. We’ve been looking through your bank statements, net income, cyber liability limits, financial audits – all the info that might help us to calculate our demand to you. We’re willing to set a $2,000,000 price for ALL the services we offer […]

[…] Let me know whether you’re interested in a whole deal or in parts. This will affect the final price.

For Shook Lin & Bok, the price demanded by Akira exceeds their current financial capabilities. The victim requests a discount on the initial price of 2 million dollars.

You: Dear Sirs, We acknowledge your request and the amount, but we are sad to say that is simply much too high a number for us to deliver on […] We care about our staff and clients and we are a small family law firm […] if we move a large amount our banks will be suspicious and will lock down our accounts […] We only want to decrypt our files and save our family business. Please show us a good discount and tell us how to pay?

Akira decides to lower the price and reduces the ransom to 1.7 million dollars.

We: We’re well aware of the industry you operate in. It doesn’t matter, fortunately or not. We’ve heard these stories so many times. We’re willing to take a step towards you and come down to $1,7M USD […] We will wait for 24 hours more and if there are no progress, we will delete this chat […]

But for the Singaporean law firm, the price to be paid is still too high, so they make a counteroffer.

You: […] We do not have enough funds available to meet your request, but we can make you a very generous payment of USD$900,000 in exchange for the decrption of our data. There is a big risk for you that a larger payment would alert our bank and their regulations would mean our account would be frozen for weeks whilst they investigate […] Please accept our generous and sensible offer and share your BTC wallet so we can begin to move funds and make the payment. We will never deal if you leak any of our data or mention our company on any blog.

The negotiator Akira returns to the chat and provides what seems to be the final ransom price to obtain the decryption keys, $1.5 million. They suggest to the law firm negotiator to split the amount into two parts to avoid banking scrutiny and provide the BTC wallet to which the money should be transferred.

We: Well, the bosses appreciate your offer as well as your willingness to get this over with us. We’re well aware of how payments work. Your transfer won’t be frozen if you refer to any local broker who can facilitate the transfer. Anyway, my bosses has agreed to take a final step and come down to $1,500,000. We can even suggest you to split this into two payments. Here is our BTC wallet ID for payment: bc1q[EDITED]seuz

After further attempts by the Shook Lin & Bok negotiator to lower the price, the two parties agree on a payment of $1.4 million in bitcoin, with the payment to be made in two installments.

You: Dear Sirs, we are in the final stages of making the arrangements to make a payment […] Before we can agree a final value, what assurances and guarantees can you give me that our data, files, file names or company name has not already been sold or leaked by Akira or your colleagues? […]

We: We value our reputation and honor all agreements made. You will not find a single case where we have broken an agreement or failed to fulfill any of the clauses.
We are the ones who can properly decrypt your data and restore your infrastructure in a short period of time.
After payment you will receive a decryptor for each of your systems and manual on how to use it for particular file/system […] You will also receive written guarantees that we will not sell or publish your data, keep this conversation private, and delete this chat later […]

You: Dear Sirs, this is a very large amount for us and we cannot go any higher under any circumstances. We can agree USD$1,400,000. We would like to make payment today and want to agree a BTC amount at the current price as we cannot transfer more. Can you agree 21.02BTC total? If so, we can begin with a $1000 test payment. Do you agree?

We: We can agree 21.07 BTC total. Waiting for a test payment.

After receiving the “test payment” and the first installment of the payment, Akira sends the file in the chat proving the successful deletion of the files exfiltrated during the cyberattack. They then request that the remaining portion of the sum be sent to them.

We: 0.01477521 BTC received. You can proceed with the first part.

[…] We have received the first part. Sending the proof of deletion now.

shooklin.com_log_del.zip

Please, see the proof of deletion above. We’re waiting for the rest part.

You: Dear Sirs, We have sent the final payment and await you to complete the agreement. Please send decryption keys to unlock our files and systems.

We: We have received the final payment, thank you.

unlockers.7z

As we followed the chat, we had a clear sense that the primary concern for the Shook Lin & Bok negotiator was that the negotiations, for some reason, could be interrupted, leading to the publication of the law firm’s name and the exfiltrated data on Akira’s blog.

From the information we gathered, it’s not illegal in Singapore to pay a ransom when a company experiences a data breach. However, the moral question arises: is it ethical for a law firm to yield to extortion, effectively fueling the finances of criminal gangs? We believe it’s immoral. Perhaps the biggest mistake of the Shook Lin & Bok negotiator was to believe that chats are a safe space to negotiate a ransom. The facts we reported in the article demonstrate the exact opposite.

At this point, we believe that Shook Lin & Bok should ask themselves a question: have the exfiltrated data from the Akira affiliate truly been deleted? A log file stating “Deleted file” cannot provide any certainty.

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 6

Screenshot and redaction by SuspectFile.com

At the beginning of the article, we mentioned another BTC wallet where Akira had transferred the ransom money (image provided below). Currently, the balance of this wallet is $0.

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 7

Screenshot and redaction by SuspectFile.com

This wallet was then used by the ransomware group to transfer the entire ransom amount to another Akira account, which we’ll refer to as the “main wallet,” activated on April 9th (bc1p[EDITED]uwuq), a BTC wallet where the group currently channels all the money. Only a small portion remains deposited in the “main wallet” (approximately $1.2 million), while the rest is transferred to other wallets.

Exclusive - Singapore: Shook Lin & Bok law firm pays a ransom of $1.4M to the Akira ransomware group 8

Screenshot and redaction by SuspectFile.com

Before publishing this article, we sent a request for comment to Shook Lin & Bok. An email has also been sent to the person we believe negotiated with Akira’s affiliate. However, we did not receive a response before the article was published.

We will update the article as soon as we are able to provide further details on the case.

 

(Corrective Note: 4/30/2024)

We report the actual and correct incoming/outgoing transactions of Akira’s “main wallet” (bc1p[EDITED]uwuq) as of April 30, 2024, at 01:15 AM.

Total incoming transactions: 164
Total outgoing transactions: 163
Received: 226.5985 BTC (first: 4/9/2024 – last: 4/29/2024)
Sent: 206.8029 BTC (first: 4/9/2024 – last: 4/29/2024)
Balance: 19.79563872 BTC – 1,261,987.01 USD
Profit from price change: -133,038.8 USD