Cl0p Ransomware Hits Famous Law Firm

Jones Day front entrance

In the cybersecurity world, a new decade of challenges looms ahead. Leading up to 2021, practically every sector imaginable has been hit with some sort of cybercrime disruption. Then again, 2020 was a year for the cybersecurity history books, which set a concerning precedent for the future. Indeed, such trends do continue and 2021 so far looks like it will host a new batch of serious ransomware campaigns.

Most will agree that one of the most hyped recent global events was the U.S. election, with remnants of Trump’s legal affairs still lingering in the air and on the media. The amount of controversy around Trump and the 2020 elections manifested itself in the form of high-level law firm data breaches. There is now a lot of ongoing buzz related to a serious ransomware campaign that has been targeting law firm Jones Day.

Law firms are not immune to cyberattacks. According to reports from the American Bar Association, “Reports of malicious activity intensified significantly affecting all corners of life including the legal profession”. The same report also notes that firms in 2020 have experienced an increase in security breaches and that cybersecurity awareness in the firms is not sufficiently comprehensive.

Jones Day Law Firm

Jones Day is a powerful global law firm based in the U.S. that famously represented and supported Donald Trump during the recent 2020 elections. The firm also has several other high-profile clients in the Fortune 500 such as Fox News, Goldman Sachs, and McDonald’s, to name a few.

What is CL0P Ransomware

Cl0p ransomware, discovered in 2019 is a persistent form of multiple malware variants that continues to target high-profile victims today. Besides the persistence, Cl0p ransomware is notorious for breaking records in extortion sums, reaching tens of millions of dollars. The ransomware works by encrypting files that can only be unlocked with a code following payment of the ransom.

Hacking Group Exfiltrate Law Firm Files

According to Reuters and multiple other news sources, law firm, Jones Day has been the latest victim compromised in a notorious ransomware attack by a group called Cl0p. The hackers claim to have successfully exfiltrated high-value files and subsequently dumped the files on the dark web.

Ransomware group Cl0p had taken screenshots of confidential legal files and apparently put pressure on Jones Day for ransom. When the law firm did not respond to the hackers, it prompted them to increase the blackmail and release even more data. It appears that Jones Day themselves have not responded to questions about the breach, nor is there any corresponding information on their official website. Hackers claim that they took 100 GB of data including compressed ZIP and 7z files.

Exact information on the leaked documents is unavailable, what is known is that screenshots included a ‘confidential mediation brief’ for a judge and files marked ‘confidential documents’. It is also confirmed that hackers have extracted emails and are storing them on the dark web.

Hackers Talked to Motherboard

Hackers reportedly spoke to VICE’s tech magazine Motherboard via email on the dark web. The conversation revealed that the hackers accessed “the server where they (Jones Day) stored data”. Furthermore, in the email they stated that they emailed the law firm and that “they ignored us for over a week. We did not encrypt their network, we only stole the data”. The law firm did not answer the hackers when invited to their “chat”, but entered and remained silent.

Cl0p group also confirmed for Motherboard that their intentions are “of course” financial.

Further Details

Apparently, Jones Day first stated that there was no breach although later they admitted to news agencies that there in fact was a breach. The law firm blamed file-sharing company Accellion which they work with. Accellion themselves have a track record in data breaches. The hackers, however, have stated that they have never touched Accellion.

In a blog post in January by Deutsche Telekom Security, it is stated that the Cl0p group publishes their data on a ‘leak’ portal named ‘CL0P^-LEAKS” and that the group is currently working on breaching company executives.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.