Full Report
One of the top-ranked law firms in the country confirmed today that it has suffered a data breach. Jones Day disclosed the breach after hackers known as Silent Ransom Group (SRG) posted the data to their dark web leak site on March 30. A spokesperson for the firm said that limited files for 10 clients... Source
Analysis Summary
# Incident Report: Jones Day Data Breach (Silent Ransom Group)
## Executive Summary
Jones Day, a prominent international law firm, experienced a targeted data breach involving the exfiltration of sensitive client files. The incident, attributed to the Silent Ransom Group (SRG/Luna Moth), resulted in a $13 million ransom demand and the subsequent leaking of data for 10 clients on the dark web. The firm has confirmed that the breach was limited in scope and has notified all affected parties.
## Incident Details
- **Discovery Date:** Approximately March 20, 2026 (via ransom demand)
- **Incident Date:** March 2026
- **Affected Organization:** Jones Day
- **Sector:** Legal / Professional Services
- **Geography:** United States (Global Firm)
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2026
- **Vector:** Phishing
- **Details:** Attackers targeted a key member of the firm, specifically the head of the Federal Circuit team, through sophisticated phishing techniques.
### Lateral Movement
- **Details:** The threat actors gained access to the primary target's environment; specific movement within the broader network is not detailed, but the attackers managed to access files belonging to multiple high-profile clients.
### Data Exfiltration/Impact
- **Details:** Attackers exfiltrated limited files pertaining to 10 specific clients. A file tree was later posted by the attackers as proof of the theft.
### Detection & Response
- **Discovery:** Discovered via a direct extortion communication on March 20, 2026, where attackers identified themselves as "Ammiel Olsen."
- **Response Actions:** The firm engaged in limited communication/negotiation monitoring between March 20 and March 28 but apparently refused to pay the $13M demand. Affected clients were notified following the public leak on March 30.
## Attack Methodology
- **Initial Access:** Phishing (Social Engineering)
- **Persistence:** Not specifically detailed; likely via compromised credentials.
- **Privilege Escalation:** Targeted high-level executives to gain access to sensitive legal data.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Obtained through initial phishing of the Federal Circuit team lead.
- **Discovery:** Targeted search for sensitive litigation and client files.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of sensitivity-specific legal documents and client data.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure.
- **Impact:** Extortion (Data Ransom) and public disclosure on a dark web leak site.
## Impact Assessment
- **Financial:** A $13 million ransom was demanded (not paid). Potential legal liability and forensic costs are ongoing.
- **Data Breach:** Exfiltration of files belonging to 10 clients; volume of data not specified but described as "limited."
- **Operational:** Disruption to the Federal Circuit team; management of high-stakes extortion.
- **Reputational:** High public impact due to the firm’s prestige and the attackers' public threats regarding sensitive client ties (e.g., Epstein files mentions).
## Indicators of Compromise
- **Network indicators:** hxxps[://]databreaches[.]net (Reporting site), Dark web site associated with Silent Ransom Group (SRG).
- **File indicators:** Not disclosed in public reporting.
- **Behavioral indicators:** Use of the alias "Ammiel Olsen" in negotiation chats; threats to contact employees and clients directly via "Triple Extortion" tactics.
## Response Actions
- **Containment:** Isolated affected accounts and systems.
- **Eradication:** Not detailed in the report.
- **Recovery:** Notification of 10 affected clients and public disclosure through a firm spokesperson.
## Lessons Learned
- **Targeting of Leadership:** Attackers increasingly target senior partners or specialized team leads (e.g., Federal Circuit lead) rather than general IT staff due to the sensitivity of the data they handle.
- **Ransomware-as-a-Service/Extortion Trends:** Groups like SRG (Luna Moth) are prioritizing data theft and extortion over encryption-based ransomware.
- **Vendor Risk:** This incident follows a previous breach involving Jones Day's use of Accellion, highlighting that law firms remain perennial targets for state-sponsored and criminal actors.
## Recommendations
- **Executive Threat Protection:** Implement enhanced monitoring and MFA for high-value targets (Partners and Team Leads).
- **Phishing Simulation:** Conduct advanced social engineering simulations targeting specific legal departments.
- **Data Loss Prevention (DLP):** Deploy DLP solutions to detect and block the exfiltration of large volumes of sensitive client documents.
- **Incident Response Planning:** Ensure "extortion-only" scenarios are included in tabletop exercises, focusing on PR and client notification strategies.