Cyber Incident Victim: MJ Payne Ltd

On or around May 1, 2020, London-based accounting firm MJ Payne Ltd experienced a ransomware attack attributed to the REvil group, also known as Sodinokibi operators. The attackers publicly claimed responsibility for the incident on Friday, April 30, 2020, by posting screen captures allegedly showing directory structures from MJ Payne's systems as proof of compromise. No individual client files or sensitive documents were disclosed in this initial proof-of-hack demonstration. The REvil operators did not accompany their data leak with any explanatory commentary or explicit ransom demands at this stage. MJ Payne Ltd, which specialized in accounting services for small and micro businesses while promoting "stress-free" client experiences, did not issue any public statements acknowledging the attack. The company also did not respond to media inquiries seeking confirmation or details about the incident.

The attack exposed MJ Payne Ltd to significant reputational risks given the contrast between their advertised stress-free services and the operational disruption implied by a ransomware compromise. While the attackers did not initially release sensitive client data, the directory screenshots suggested potential unauthorized access to organizational systems. The absence of confirmed details about containment efforts, data recovery processes, or system restoration timelines left the firm's operational status unclear. No information emerged regarding whether client data was exfiltrated beyond the directory structures shown, what specific systems were affected, or whether business operations were interrupted. The REvil group's decision to target a small accounting firm followed their established pattern of attacking professional service providers with potential vulnerabilities in network security.