Breach, Threat Management, Data Security, Malware, Ransomware

REvil hackers extort law firm with Lady Gaga, Nicki Minaj, Elton John as clients

Cyberattackers have breached a high-profile entertainment and media law firm, infecting the practice with ransomware and stealing files that apparently pertain to its star clients, including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige.

A cyber analyst who requested anonymity provided SC Media with content posted on the Sodinokibi/REvil ransomware group's website that claims the attackers stole 756 GB of data from the New York-based firm Grubman Shire Meiselas & Sacks.

One sample document that was posted looks to be a contract for a Madonna tour organized by events promoter and venue operator Live Nation. The contract includes one employee's Social Security Number.

In addition to contracts, leaked data reportedly also includes nondisclosure agreements, phone numbers, email addresses and personal correspondence.

Nicki Minaj, Christina Aguilera, Cam Newton (listed on a folder as Cam New), Ella Mai, Bette Midler, Jessica Simpson, Run-DMC, Idina Menzel, Priyanka Chopra, Madison Beer, OutKast and Andre 3000 are among the other artists whose files also appear to haven been taken.

"Personal information is valuable by itself, but personal information about celebrities is even more valuable," said Jonathan Knudsen, senior security strategist at Synopsys. "The attackers in this case have, unfortunately, perpetrated a crime with deep impact."

Typically, ransomware attackers will continue to release stolen files in piecemeal fashion until the victim pays up in order to restore their encrypted files and prevent any additional damaging leaks.

SC Media reached out to Grubman Shire Meiselas & Sacks for comment, but has so far not received a reply. However, the law firm officially confirmed the breach to the entertainment publication Variety.

"Law firms are increasingly becoming desirable targets of sophisticated cyber gangs," said Ilia Kolochenko, founder and CEO of ImmuniWeb. "It is often much easier and faster to breach a mid-sized law firm to get ultra-confidential data compared to targeting its large clients directly, such as banks or celebrities as reportedly happened in this case."

Kolochenko said few law firms are prioritizing investment in holistic cyber resilience and defense, understanding their attack surface or conducting sufficient employee training. "Furthermore, a considerable number of law firms have no incident detection and response capacities, often leaving them unable to detect an intrusion in a timely manner. Worse, modern law firms have to deal with diversified digital flow of sensitive and privileged data on their mobile phone, laptops and office computers. Partners and clients exacerbate this convoluted landscape by uploading confidential documents to public cloud or file sharing websites."

For that reason, Kolochenko concluded, "law firms are a low hanging fruit for cybercriminals, enabling the latter to get their hands on crown jewels of major organizations without spending much effort."

Update: The New York Post reported on May 13 that the attackers are seeking an extortion payment of $21 million.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.