Cyber Incident Victim: Noteboom
Date:
Mar 2023
Location:
United States of America
Summary
BlackCat ransomware group compromised a Texas law firm, exfiltrating over 400GB of sensitive data including non-disclosure agreements, active case documents, medical records, and employee information while encrypting servers. The attackers infiltrated the network for approximately one week, noting unsuccessful defensive efforts by the firm's administrators. Following multiple unacknowledged ransom demands totaling $1.75 million and expiration of a 24-hour deadline, the group listed the firm on its leak site but withheld public release pending a two-week extension. No communication occurred between the parties during the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 24, 2023, the BlackCat ransomware group, also known as ALPHV, initiated contact with Noteboom – The Law Firm, a Texas-based personal injury practice, via an email impersonating the firm’s systems administrator, Paul Khong. The attackers declared they had breached the network, exfiltrated over 400 gigabytes of sensitive data, and encrypted all servers and data. BlackCat reported remaining undetected within the environment for seven days prior to the notification, during which they reviewed documentation and gained access to files and services. The compromised data included non-disclosure agreements, open case documents, medical records tied to litigation, and employees’ sensitive information. BlackCat noted that Noteboom’s network administrators had identified their activity and actively attempted to disrupt the intrusion for multiple days but lacked the necessary expertise to prevent the ransomware deployment or data theft. The email concluded with instructions for the firm to engage in negotiations to avoid further exposure.
BlackCat repeated the same extortion email to Noteboom on March 27 and, after receiving no response, escalated pressure on April 4 by issuing a 24-hour deadline alongside a private onion URL, warning it would become public. With no contact established, BlackCat listed Noteboom on their leak site but withheld publishing the stolen data, extending a final two-week window for the firm to respond before leaking the material. The group disclosed to media outlet DataBreaches that the ransom demand amounted to $1.75 million and confirmed Noteboom had not communicated with them at any stage. DataBreaches attempted to contact Noteboom via email for comment but received no replies as of the article’s March 24 publication. The incident’s consequences centered on operational disruption from encrypted systems, potential exposure of highly sensitive client and employee information, and reputational risks stemming from the impending two-week data leak ultimatum. The firm’s documented defensive actions were limited to its administrators’ unsuccessful attempts to repel the intrusion prior to encryption.