Singapore law firm Shook Lin & Bok hit by cyber attack; allegedly paid $1.89m in bitcoin as ransom

The Government “strongly discourages” victims from paying ransom as there is no guarantee that locked data will be decrypted. PHOTO ILLUSTRATION: THE NEW PAPER
Sarah Koh
Updated
May 05, 2024, 09:43 PM
Published
May 03, 2024, 08:22 PM

SINGAPORE – Singapore law firm Shook Lin & Bok was hit by a ransomware attack in April, and the incident is now under investigation by the local authorities.

In response to queries from The Straits Times, the firm said in a statement on May 2 that the incident was discovered on April 9, and it immediately engaged a cyber-security team.

The firm’s systems were “contained” as at 2am on April 10, and the incident has been reported to the police, the Cyber Security Agency of Singapore (CSA), and the Personal Data Protection Commission Singapore, the statement said.

The firm is working closely with cyber-security teams and other specialists to minimise impact on its clients and stakeholders.

There is no evidence so far that the firm’s document management systems which contain client data were affected, and the firm continues to operate as usual, the statement added.

According to a report by independent website SuspectFile, which posts primarily about ransomware incidents, the law firm paid 21.07 bitcoins to Akira ransomware group spread across three transactions. The amount was equivalent to around US$1.4 million (S$1.89 million) at the time of payment.

When contacted by ST, the firm did not respond to queries about whether it had paid any ransom to the group.

Shook Lin & Bok offers services in areas such as banking and finance, capital markets, and construction and projects.

The ransomware group had initially demanded a payment of US$2 million in bitcoin, but the firm was able to negotiate to lower the ransom, said the report.

The Akira ransomware group began operating in early 2023 and it typically demands ransoms of between US$200,000 and US$4 million to prevent stolen data from being published online, said Mr Leonardo Hutabarat, head of solutions engineering of Asia-Pacific and Japan at IT security company LogRhythm.

The group usually goes after small and medium-sized businesses, which are perceived as easier targets due to weaker cyber-security systems, he said, adding that it uses tactics such as phishing e-mails and exploiting unpatched software vulnerabilities to infiltrate systems.

The group uses double or multi-extortion techniques, where it threatens to leak or sell private and confidential data, while refusing victims access to encrypted data or systems, he added.

The law firm paid the ransom to obtain decryption keys for its ESXi virtualisation platform, according to SuspectFile’s report.

The platform functions as an operating system that helps organisations create virtual representations of servers, storage, networks and other physical machines, said Mr Hutabarat.

He added that Akira also likely stole corporate data before encrypting the files, which it could use as leverage in extortion attempts.

“The threat facing the victim here is twofold – one, the loss of access to their virtual servers, which affects the continuity of daily operations,” said Mr Hutabarat. “Two, the threat of confidential corporate and client data being leaked, which may cause reputational damage and financial loss.”

Akira group has previously claimed responsibility for a December 2023 data breach on Nissan Oceania, the regional division of Japanese automaker Nissan.

A CSA spokesman told ST that the agency is aware of this incident, and has offered assistance to the law firm.

More On This Topic
Personal information of Poh Heng Jewellery customers accessed in data breach
App managing student devices in 127 schools hacked; names, e-mail addresses leaked

The Government “strongly discourages” victims from paying the ransom as there is no guarantee that locked data will be decrypted, or that stolen data will not be used for malicious purposes once ransom has been paid, said the spokesman.

He added that threat actors may also view such organisations as soft targets who are willing to pay up, and strike again.

He said that paying also encourages threat actors to continue their criminal activities and target more victims.

“Ransomware remains a growing concern in Singapore, a trend that is mirrored globally,” said the spokesman, adding that it is important for organisations to take steps to enhance their resilience against ransomware threats.

CSA urges the public to refer to the one-stop ransomware portal at go.gov.sg/rwportal for available tools and resources, and advises organisations to report any ransomware attacks to the police and CSA’s Singapore Cyber Emergency Response Team.

Mr Nathan Hall, vice-president of Asia Pacific and Japan at IT services company Pure Storage, said that ransomware attacks pose risks of significant financial and reputational damage, and companies can reduce their chances of a successful attack with the right processes and technology.

Some basics to mitigate damage include performing regular updates, using robust encryption, maintaining vigilant monitoring and having a Zero Trust security model, he said.

The model requires rigorous authentication and authorisation for every connection attempt, and grants users and applications only the minimum amount of access needed to do their required tasks.

More On This Topic
How to fend off hackers out to extort companies for million-dollar ransoms
Most firms face cyber incidents, but lack basic security measures: Study

Join ST's WhatsApp Channel and get the latest news and must-reads.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top