Cyber Incident Victim: Grubman Shire Meiselas & Sacks
Date:
May 2020
Location:
United States of America
Summary
A ransomware group known as REvil compromised a prominent entertainment law firm, exfiltrating 756GB of sensitive client and operational data including contracts, personal correspondence, non-disclosure agreements, and documents containing personally identifiable information such as social security numbers. The attackers publicly released samples of stolen legal agreements involving high-profile artists and tour personnel to substantiate their claims, threatening further leaks to pressure payment. The incident jeopardized confidential information pertaining to numerous celebrity clients and employees, with potential exposure risks extending to private communications and financial details. REvil's history of selling data from non-paying victims heightened concerns that the stolen materials could circulate on underground markets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 8, 2020, the Sodinokibi ransomware group (also known as REvil) publicly claimed responsibility for a cyberattack targeting Grubman Shire Meiselas & Sacks (GSMLaw), a New York-based entertainment law firm representing numerous high-profile celebrities and artists. The attackers asserted they had exfiltrated 756 gigabytes of sensitive data from the firm’s systems, including contracts, personal correspondence, non-disclosure agreements, email addresses, phone numbers, and documents containing personally identifiable information such as social security numbers. To substantiate their claims, REvil published screenshots of allegedly stolen file directories and excerpts from specific legal documents, including a 2013 agreement signed by Christina Aguilera (not listed as a current client) and a July 2019 contract between a Madonna World Tour crew member and Live Nation Tours that revealed the individual’s social security number. The threat actors threatened to release the entire dataset unless their ransom demands were met, leveraging their established reputation for selling stolen data from non-paying victims on underground markets.
The incident posed significant risks to GSMLaw’s clientele, which included internationally recognized figures such as Madonna, Lady Gaga, Elton John, Robert De Niro, Nicki Minaj, Chris Brown, Usher, U2, Timbaland, and Rick Ross. Potential impacts included unauthorized disclosure of confidential career-related contracts, private communications, and sensitive financial or personal identifiers. REvil operated as a ransomware-as-a-service model, employing affiliates with specialized skills for network infiltration and lateral movement to identify valuable data. The group had recently transitioned ransom payments from Bitcoin to Monero cryptocurrency to evade law enforcement tracking. At the time of the initial report, GSMLaw had not publicly commented on the incident or disclosed any containment measures, while REvil’s leak site listed over two dozen previous victims whose data was sold following non-payment. The scale of the breach and the prominence of affected individuals heightened concerns about reputational damage, legal liabilities, and potential identity theft stemming from the exposure of sensitive client information.