Law Firm Jones Day Hit with Ransomware Attack, Third-Party Accellion Software Blamed

Gigabytes of Sensitive Jones Day Data Leaked on Dark Web

One of the largest and highest-grossing international law firms, Jones Day, suffered a massive data breach at the hands of the Cl0p ransomware collective. At least 20 compressed caches of confidential data stolen from the Cleveland-based law firm—which recently served as counsel to former President Donald Trump—were leaked on the dark web. The cache sizes range from 1.5GB to 4.5GB and include highly sensitive email communications from employees at the firm.

Hackers Make Good on Ransomware Threat, Leak Data after Rebuff

As with other similar ransomware collectives, Cl0p not only seeks to lock up the computers of its victims, but also sucks out sensitive data from impacted systems and then publishes that data on a dark web address if victims have a backup of their stolen data, or otherwise refuse to pay the demanded ransom.

In an email exchange with Vice Motherboard, a representative of Cl0p explained, “We hacked their server where they stored data, on attempts to ‘settle’ they responded with silence and we had to upload the data… We emailed them and they ignored us for over a week. We did not encrypt their network, we only stole the data… They did not answer us, we invited them to enter our chat, they entered but were silent.”  

Cl0p insisted that the data was only leaked after their extortion efforts were repeatedly rebuffed by Jones Day.

Accellion at the Heart of the Compromise

Cl0p hackers allegedly compromised Jones Day as a result of the Accellion data breach, announced earlier this year. Accellion, which claims to be the provider of “the industry’s first enterprise content firewall,” was made aware of a zero-day vulnerability in its secure file transfer product, FTA, which is used by enterprise clients, including Jones Day, to facilitate the transfer of large files.

According to Accellion, its now legacy FTA software was “the target of a sophisticated cyberattack” and insists that upon becoming aware of the vulnerability, the company rapidly notified impacted customers and “released a fix within 72 hours.”  Accellion, however, in this statement also noted that this “concerted cyberattack,” which it first learned about in mid-December continued into January 2021, lasting several weeks if not longer. As Accellion identified additional exploits in the ensuing weeks, the company stated it “rapidly developed and released patches to close each vulnerability.”

Third-Party Risk Causes First-Party Pain

The Jones Day data breach is a timely reminder that vulnerabilities in third-party software, like Accellion FTA, are among the most critical vectors of attack. Corporate cyber-exposure is further exacerbated when organizations rely on outdated, legacy software packages that offer little in the way of ongoing support and updates—especially upon news of highly-visible and well-publicized vulnerabilities and exploits.  

File Transfer Services Must Rank High in Security Threat Modeling

Organizations, and law firms in particular, that regularly send and receive sensitive information in particular, are wise to treat large file transfer software as high-critical, high-severity risks in their threat modeling and monitor them with extreme scrutiny. Whether or not your core business model centered on discretion and privacy, rigorous security hygiene for key external interfaces and third-party software is critical. Security and intelligence professionals must keep eyes trained and apply actionable intelligence to monitor for new developments risks, vulnerabilities, and exploits—especially for systems and services managed externally.

Learn More about Flashpoint Ransomware Response

Sign up for your risk-free 90-day trial and see how Flashpoint Readiness and Ransomware Response ensures your entire team is prepped and able to respond to any ransomware attack you may face. When equipped with the Flashpoint Intelligence Platform, you move a step ahead of ransomware attacks and the cybercriminal groups who use them.