Award Banner
Award Banner

Law firm Shook Lin & Bok allegedly paid $1.89m in bitcoin as ransom over cyber attack

Law firm Shook Lin & Bok allegedly paid $1.89m in bitcoin as ransom over cyber attack
The Government “strongly discourages” victims from paying ransom as there is no guarantee that locked data will be decrypted.
PHOTO: The Straits Times

SINGAPORE — Singapore law firm Shook Lin & Bok was hit by a ransomware attack in April, and the incident is now under investigation by the local authorities.

In response to queries from The Straits Times, the firm said in a statement that the incident was discovered on April 9, and it immediately engaged a cyber-security team.

The firm's systems were contained as of 2am on April 10, and the incident has been reported to the police, Cyber Security Agency of Singapore (CSA), and Personal Data Protection Commission Singapore, the statement said.

The firm is working closely with cyber-security teams and other specialists to minimise impact on its clients and stakeholders.

There is no evidence so far that the firm's document management systems which contain client data were affected, and the firm continues to operate as usual, the statement added.

According to a report by independent website SuspectFile, which posts primarily about ransomware incidents, the law firm allegedly paid 21.07 bitcoins to Akira ransomware group spread across three transactions.

The amount was equivalent to around US$1.4 million (S$1.89 million) at the time of payment.

When contacted by ST, the firm did not respond to queries about whether it had paid any ransom to the group.

Shook Lin & Bok offers services in areas such as banking and finance, capital markets, and construction and projects.

The group had initially demanded a payment of US$2 million in bitcoin, but the firm was able to negotiate to lower the ransom, said the report.

The Akira ransomware group began operating in early 2023, and typically demands ransoms between US$200,000 and US$4 million to prevent stolen data from being published online, said Leonardo Hutabarat, head of solutions engineering of Asia-Pacific and Japan at IT security company LogRhythm.

The group usually goes after small and medium-sized businesses, which are perceived as easier targets due to weaker cyber-security systems, he said, adding that it uses tactics such as phishing e-mails and exploiting unpatched software vulnerabilities to infiltrate systems.

The group uses double or multi-extortion techniques, where it threatens to leak or sell private and confidential data, while refusing the victims' access to encrypted data or systems, he added.

The law firm had allegedly paid the ransom to obtain decryption keys for its ESXi virtualisation platform, according to SuspectFile's report.

The platform functions as an operating system which helps organisations create virtual representations of servers, storage, networks, and other physical machines, said Hutabarat.

He added that Akira also likely stole corporate data before encrypting the files, which it could use as leverage in extortion attempts.

"The threat facing the victim here is twofold — one, the loss of access to their virtual servers, which affects the continuity of daily operations," said Hutabarat.

"Two, the threat of confidential corporate and client data being leaked, which may cause reputational damage and financial loss."

Akira group has previously claimed responsibility for a December 2023 data breach on Nissan Oceania, the regional division of Japanese automaker Nissan.

A CSA spokesman told ST that the agency is aware of this incident, and has offered assistance to the law firm.

The Government "strongly discourages" victims from paying the ransom as there is no guarantee that locked data will be decrypted, or that stolen data will not be used for malicious purposes once ransom has been paid, said the spokesman.

He added that threat actors may also view such organisations as soft targets who are willing to pay up, and strike again.

[[nid:670380]]

He said that paying also encourages the threat actors to continue their criminal activities and target more victims.

"Ransomware remains a growing concern in Singapore, a trend that is mirrored globally," said the spokesman, adding that it is important for organisations to take steps to enhance their resilience against ransomware threats.

CSA urges the public to refer to the one-stop ransomware portal at go.gov.sg/rwportal for available tools and resources, and advises organisations to report any ransomware attacks to the police and CSA's Singapore Cyber Emergency Response Team, he said.

Nathan Hall, vice-president of Asia Pacific and Japan at IT services company Pure Storage, said that while ransomware attacks pose risks of significant financial and reputational damage, companies can reduce their chances of a successful attack with the right processes and technology.

Some basics to mitigate damage include performing regular updates, using robust encryption, maintaining vigilant monitoring and having a Zero Trust security model, he added.

The model requires rigorous authentication and authorisation for every connection attempt, and grants users and applications only the minimum amount of access needed to do their required tasks.

ALSO READ: Cisco says hackers subverted its security devices to spy on governments

This article was first published in The Straits Times. Permission required for reproduction.

This website is best viewed using the latest versions of web browsers.