A high-profile cyberattack has hit celebrity law firm Grubman Shire Meiselas & Sacks, which represents A-listers including Robert De Niro and Lady Gaga, with hackers threatening to expose a 746GB data cache, including personal data and contracts.
The attack saw the New York City, the US-based firm’s systems breach by hackers, enabling them to steal its vast repository of files, and infect them with strain of ransomware known as REvil/Sodinokibi. The perpetrators have posted a screenshot of the file directory along with what appears to be a Madonna contract, and are demanding payment of an unknown amount to prevent the full respository’s release.
If it is released, it will likely see the exposure of personal data relating to both previous and current clients of the firm, with Priyanka Chopra, Mariah Carey, Bruce Springsteen, Nicky Minaj and Rod Stuart also thought to be among those affected.
“We can confirm that we’ve been victimised by a cyberattack,” said Grubman Shire Meiselas & Sacks in a statement.
“We have notified our clients and our staff. We have hired the world’s experts who specialise in this area, and we are working around the clock to address these matters.”
The company’s full website is currently down, and shows only the firm’s logo.
To pay or not to pay: Celebrity law firm faced with nightmare decision over cyberattack
Exactly what data is held on each client, and therefore how severe its exposure would be, remains unclear. Grubman has not provided this information, and the information released by the hackers so far has not clarified this. However, it could play a key role in the firm’s decision whether to pay the ransom.
“The million dollar question is how much personal information the hackers have obtained and how real are their threats? This is no laughing matter,” said Sam Curry, chief security officer at Cybereason.
“And what are the ransom demands of the hackers? If the hackers have obtained personal information of these celebrities, will they give Grubman the encryption keys and return stolen files if the ransom demands are met?”
Furthermore, even if the firm does decide to pay, there is nothing to stop the hackers taking the money and releasing the files anyway.
“Unfortunately, there are no longer any guarantees for companies that decide to pay a ransom because there is less and less honesty amongst these cybercriminals,” said Curry.
“Paying a ransom no longer guarantees a return of proprietary information.”
“As with other ransom situations, it is also impossible to know if paying the ransom will make your problem go away. Even if you regain access to your own information, your attacker might still have a copy of the information and be able to resell it to other interested parties,” agreed Jonathan Knudsen, senior security strategist at Synopsys, adding that the fact that celebrities are impacted makes this a particular risk.
“Personal information is valuable by itself, but personal information about celebrities is even more valuable. The attackers in this case have, unfortunately, perpetrated a crime with deep impact.”
“All companies are at risk of daily attacks, but some attract further attention due to the kudos or media value they may possess,” added Jake Moore, cybersecurity specialist at ESET.
“Celebrity hacks have always gained global attention and can therefore cause more damage, and this in turn loads those companies with extra pressures to pay out.”
However, Moore does not believe Grubman should pay.
“This will be a difficult decision to make, but I always advise companies not to pay the demands,” he said.
“The hackers do not obey normal morals and if they do have the firm’s data they could very easily still release it at any time, or in fact increase demands further.”
Grubman Shire Meiselas & Sacks hit by “surgical” cyberattack
While many ransomware attacks are the result of a scattershot approach, experts suspect that this incident was the result of precise targeting of Grubman Shire Meiselas & Sacks due to the lucrative nature of the data it holds.
“This breach appears to be a surgical strike against Grubman, knowing they represent many of the biggest celebrities in the world,” said Curry.
It is also part of a wider trend among hackers to target law firms, as they often do not have as good cybersecurity compared to similarly sized organisations in other industries.
“Law firms are increasingly becoming desirable targets of sophisticated cyber gangs. It is often much easier and faster to breach a mid-sized law firm to get ultra-confidential data compared to targeting its large clients directly, such as banks or celebrities as reportedly happened in this case,” said Ilia Kolochenko, founder and CEO of ImmuniWeb.
“In a highly competitive and now digitally-disrupted legal services market, few law firms are prioritising investment into holistic cyber resilience and defense, understand their attack surface, let alone conduct sufficient employee training. “
Kolochenko highlighted that this was a particular problem due to the combination of ways the legal industry gains sensitive data; the lack of cybersecurity investment and the tendency not to report such incidents.
“A considerable number of law firms have no incident detection and response capacities, often leaving them unable to detect an intrusion in a timely manner. Worse, modern law firms have to deal with diversified digital flow of sensitive and privileged data on their mobile phone, laptops and office computers,” he said.
“Partners and clients exacerbate this convoluted landscape by uploading confidential documents to public cloud or file sharing websites. Moreover, even if a data breach is detected, a not insignificant number of law firms would prefer to keep the incident as silent as possible to avoid disastrous reputational damage and acrimonious lawsuits from their clients.
“Ultimately, law firms are a low hanging fruit for cybercriminals, enabling the latter to get their hands on crown jewels of major organisations without spending much effort.”
Lessons for the legal industry and beyond
For those in the legal industry – as well as any field involving sensitive client data – the attack serves as a wake-up call to ensure not only that ransomware is being guarded against, but that any easy routes into corporate systems are locked down.
“The overwhelming tendency is to focus on the ransomware itself in these types of cases, but ransomware doesn’t magically appear on a system,” said Tim Erlin, VP at Tripwire.
“Organisations that are concerned about ransomware should assess how well they’ve deployed basic controls like vulnerability management, secure configurations and email protections. The first line of defense against ransomware is to prevent it from getting inside in the first place.
“Ransomware makes headlines, in part, because it’s always detected. It has to be, in order to get the ransom paid. Keep in mind that if self-announcing ransomware can get in, so can much more stealthy attackers.”
Importantly, it is essential that organisations review their cybersecurity and identify areas that can be improved upon.
“Like the celebrities whose information is now in jeopardy, we all interact with organisations every day that might result in a situation like this,” said Synopsys’s Knudsen.
“It is impossible to evaluate the security posture of every business where you have sensitive information, and for the most part, we must rely on a system of trust. Businesses can reduce the risk of a catastrophic breach by taking a proactive, security-first stance and following industry best practices in designing and implementing their technology solutions.”
Significantly, it is important to remember that any organisation can be a target.
“The longer-term issue for Grubman, other law firms and any organisation is what approach are they taking to secure private information. Today, its no longer a matter of if, but when a breach will occur,” said Cybereason’s Curry.
“Every company has been hacked, most many times over, and it comes down to how quickly a company identifies malicious activity and stops it.
“In the case of Grubman and their large list of A-list celebrities, most if not all of them are sweating out the current situation and hoping the damage will be minimal.”