Cyber Incident Victim: Buckley King
Date:
Apr 2023
Location:
United States of America
Summary
The law firm Buckley King was compromised by the BlackBasta ransomware group following a social engineering attack where an employee executed an infected email attachment. The attackers exfiltrated 110 GB of data and demanded a ransom, which was negotiated and paid. The incident resulted in the theft of a substantial volume of client files and personal information, though the firm has not provided an official public statement regarding notification.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 1, 2023, the law firm Buckley King LPA was compromised in a ransomware attack. The initial intrusion vector was a successful social engineering operation. An employee of the firm allegedly executed an infected file attachment contained within a malicious email, which provided the threat actors with their entry point into the firm's IT network. The group responsible for this attack was identified as the BlackBasta ransomware operation.
Following the initial breach, the attackers proceeded to exfiltrate data from the firm's systems. As part of their negotiation strategy, BlackBasta provided the victim with a file tree as proof of their access and data acquisition. This file tree reportedly contained over 230,000 directories and more than 760,000 individual files, indicating a significant compromise of the firm's digital assets. The total volume of data exfiltrated was stated by the attackers to be 110 gigabytes.
The attackers initiated a ransom demand, seeking $400,000 from Buckley King. In exchange for this payment, BlackBasta promised to delete the stolen data, provide a decryptor for any encrypted systems, and supply a "security report." The firm engaged in negotiations with the threat actors, and the two parties eventually reached a settlement on a reduced payment amount of $150,000. The negotiation process was not private, as the details were subsequently revealed publicly by a third party.
The payment was executed using cryptocurrency. The total transaction amounted to 6 bitcoins, which had a monetary value of $161,574.00 at the time of the transfer. Of this total, 5.41537733 bitcoins, valued at $145,830.70, were deposited into the specific bitcoin wallet address provided by the BlackBasta group. The remaining 0.58457449 bitcoins, equivalent to $15,742.01, were transferred to a separate, different wallet. This indicates the completion of the ransom payment by the victim.
The public disclosure of the incident did not originate from Buckley King itself. Instead, the details of the attack, the negotiation, and the payment were first revealed by an entity named SuspectFile. This third party reported that they were able to access and monitor the interactions between the law firm and the ransomware group, including the financial transaction details. The firm did not provide a statement or comment to SuspectFile regarding the incident despite receiving requests for information. The public nature of the leak meant that the compromise was widely reported, including by data breach monitoring sites, which disseminated the specifics of the attack.
The primary impact of the incident was the confirmed exfiltration of a large quantity of data from the law firm's network. Given the nature of the victim's business as a legal practice, the 110 gigabytes of stolen data was highly likely to contain sensitive, confidential, and attorney-client privileged information belonging to a large number of the firm's clients. The data set included hundreds of thousands of files and directories, representing a substantial portion of the firm's managed data. The secondary impact was financial, with the firm incurring a direct loss of over $161,000 USD in paid ransom. The firm also likely faced significant indirect costs related to incident response, investigation, and potential system remediation following the attack.
The firm's response actions, as reported, consisted primarily of engaging with the threat actors in negotiations and ultimately agreeing to pay the ransom demand. There is no public information available regarding any internal containment or eradication steps taken by the firm's IT personnel to secure the network following the initial breach. Furthermore, there is no public information confirming whether the firm provided any form of data breach notification to its clients whose personal or confidential information was acquired by the attackers. The public reporting indicates the firm remained non-communicative with the media outlets that attempted to contact it for a statement on the incident. The lack of public commentary from the firm left the scope of client impact and the firm's post-incident recovery actions undetermined from an external viewpoint. The incident served as a public example of the risks associated with ransomware negotiations, where third-party surveillance can lead to the public exposure of a victim's decision to pay and the details of that transaction.