Cyber Incident Victim: Shook Lin & Bok
Date:
Apr 2024
Location:
Singapore
Summary
A Singapore law firm experienced a ransomware attack by the Akira group, leading to system containment and investigations by authorities. The attackers reportedly demanded bitcoin payments, with negotiations reducing the initial $2 million ransom to approximately $1.89 million paid across three transactions to obtain decryption keys for the firm's virtual servers. The incident involved double extortion tactics, threatening data leaks alongside encrypted systems, though the firm found no evidence of compromised client data systems and maintained operations. Authorities emphasized discouraging ransom payments due to risks of non-recovery and incentivizing further attacks, highlighting ransomware's growing threat to organizations with potential operational and reputational impacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 9, 2024, Singapore law firm Shook Lin & Bok discovered a ransomware attack affecting its systems. The firm immediately engaged a cybersecurity team to investigate and contain the incident. By 2:00 AM on April 10, the firm’s systems were contained, and the breach was reported to the Singapore Police Force, the Cyber Security Agency of Singapore (CSA), and the Personal Data Protection Commission Singapore. The firm issued a public statement on May 2 confirming these actions and emphasizing ongoing collaboration with cybersecurity specialists to minimize operational disruptions. While the firm maintained that its document management systems containing client data showed no evidence of compromise, it did not disclose the specific systems targeted or the duration of unauthorized access prior to detection. Independent cybersecurity monitoring site SuspectFile later reported that the Akira ransomware group executed the attack, initially demanding US$2 million in bitcoin before negotiating the ransom down to 21.07 bitcoins (approximately US$1.4 million or S$1.89 million at the time of payment). The firm made three separate bitcoin transactions to fulfill the ransom demand but declined to confirm or deny the payment when directly queried by The Straits Times.
The ransomware attack specifically targeted Shook Lin & Bok’s ESXi virtualisation platform, which hosts virtual representations of servers, storage, and networks critical to daily operations. According to cybersecurity experts cited in the report, Akira likely exfiltrated corporate data before encrypting files, employing a double-extortion strategy to pressure the firm into paying by threatening to leak sensitive information. The CSA acknowledged the incident and provided assistance to the firm while reiterating the Singapore government’s stance against ransom payments, citing risks such as data not being decrypted, recurrent targeting, and the perpetuation of criminal enterprises. No client data breaches or operational stoppages were confirmed by the firm, though the attack exposed vulnerabilities in its infrastructure. The Akira group, active since early 2023, has historically targeted small and medium-sized businesses through phishing campaigns and exploitation of unpatched software vulnerabilities, with prior high-profile incidents including a December 2023 breach of Nissan Oceania. Shook Lin & Bok continues normal operations while cooperating with authorities and cybersecurity partners to assess the full scope of the incident.