Cyber Incident Victim: Becker Law Office
Date:
Feb 2022
Location:
United States of America
Summary
A ransomware attack targeted Becker Law Office, with the LockBit gang threatening to release stolen client files unless a ransom was paid. The attackers claimed possession of 500 gigabytes of sensitive data and issued a public ultimatum. The firm restored operations using local and cloud backups without paying the ransom, working with third-party specialists and law enforcement agencies including the FBI and Secret Service. While the extent of potential client data compromise remains unclear, the incident highlights the firm's exposure to extortion attempts aimed at confidential legal information. Investigations into the breach and data exfiltration were ongoing at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 27, 2022, Becker Law Office, a prominent Louisville-based law firm, experienced a ransomware attack attributed to the LockBit 2.0 malware. The LockBit gang, known for targeting large enterprises globally, claimed to have exfiltrated 500 gigabytes of confidential client data and threatened to publish the files unless a ransom was paid. The group issued an ultimatum on the dark web, setting an April 22 deadline for payment and warning that "all available data will be published." LockBit 2.0, characterized as self-propagating malware that autonomously spreads across networks, typically avoids systems in Russia and former Soviet states to evade local prosecution. The attack was detected and reported via a HackNotice tweet, which provided a screenshot of the gang’s dark web post. Becker’s managing partner Gregory Bubalo confirmed the firm recovered its files "relatively quickly" using virtual backups stored on local servers and in the cloud, emphasizing no ransom was paid for decryption. The firm engaged third-party cybersecurity specialists and collaborated with the FBI and U.S. Secret Service in an ongoing investigation, though Bubalo declined to disclose the ransom amount, specifics of compromised client data, or whether affected clients were notified, citing the active probe.
The incident highlighted systemic vulnerabilities in legal sector cybersecurity, with experts noting law firms’ attractiveness as targets due to their obligation to protect client confidentiality. Becker’s response aligned with FBI guidance discouraging ransom payments, as emphasized by Kentucky FBI spokesperson Tim Beam, who warned payments incentivize further attacks and offer no guarantee of data recovery. The LockBit gang’s broader activity included targeting 196 organizations globally in early 2022, spanning industries like healthcare, construction, and law, with two other U.S. law firms listed as victims in April 2022. While Becker mitigated operational disruption through backups—mirroring Middleton Reutlinger, a Louisville firm that recovered from a 2021 ransomware attack in 48 hours—the full scope of data exposure remained unconfirmed. The attack underscored escalating ransomware trends, including the use of cryptocurrencies for anonymous transactions and rising ransom payments, which reached $590 million in the first half of 2021 according to U.S. Treasury data. Becker’s reliance on backups and federal law enforcement collaboration exemplified a containment strategy consistent with industry practices, though the firm’s investigation left critical questions about data integrity and client impact unresolved.