Cyber Incident Victim: Mississippi Center for Legal Services and North Mississippi Rural Legal Services
Date:
Dec 2019
Location:
United States of America
Summary
Mississippi Center for Legal Services and North Mississippi Rural Legal Services experienced a Ryuk ransomware attack that encrypted files on two primary servers, disrupting email access, work documents, applications, and local backups. The attack potentially compromised personal or confidential information belonging to clients, contractors, vendors, attorneys, and business partners, though a separate server storing client databases remained unaffected. The organization initiated an investigation to determine the breach's scope, restore system integrity, and implement preventive measures while working with their server vendor to recover services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 24, 2019, the Mississippi Center for Legal Services (MCLSC) and North Mississippi Rural Legal Services (NMRLS) experienced a ransomware attack that encrypted critical systems. The Ryuk ransomware variant targeted two servers, disrupting email services, server access, and operational functionality. The attack rendered most files on both servers inaccessible, including work product documents such as Word, Excel, and WordPerfect files, Outlook email databases, virtual server applications, and locally stored nightly backups. The encryption temporarily shut down the organizations’ computer systems, halting normal operations. IT staff detected the incident after being alerted to inaccessible email and server resources, prompting immediate engagement with their server vendor, Complete Computers. Investigation confirmed Ryuk as the ransomware strain responsible. Notably, the Clients Prime Database server—housing all client information for both organizations—remained unaffected due to its separate infrastructure and distinct configuration, preventing broader compromise of sensitive client records.
The organizations initiated a multi-phase response, beginning with containment and restoration efforts coordinated with Complete Computers. A February 5, 2020, public notice disclosed the breach, acknowledging potential unauthorized access to personal or confidential information belonging to current and former clients, contractors, vendors, attorneys, and business partners. An ongoing investigation aimed to determine the incident’s scope, identify affected individuals, and restore data and system integrity. Complete Computers’ analysis detailed the ransomware’s impact on specific servers and outlined corrective measures to prevent recurrence. While operational recovery progressed, the breach raised concerns about the exposure of non-client data stored on compromised systems, including vendor and contractor information. The organizations emphasized transparency through their public notice but did not initially confirm the exact number of affected individuals or specific data types exfiltrated, citing the incomplete nature of their investigation.