UnitedLex hit by d0nut ransomware team, 200 GB of corporate files leaked (update4)

The d0nut ransomware team seems to be ramping up their activity and leaks. Last week, they contacted DataBreaches about Montgomery General Hospital in West Virginia. Today, they reached out to this site about UnitedLex, a firm that describes itself as helping legal teams modernize “with a consultative framework that brings together legal subject matter expertise, data science, and technology to solve operational challenges across multiple legal disciplines.”

According to a statement sent to DataBreaches by the d0nut team, they downloaded over 200GB of data from UnitedLex’s network, including confidential files involving payments, contracts, and other details related to numerous organizations and individuals.

Directories in the data leak from UnitedLex: clients_files/ contracts/, fin/, finance/, hr/, shr/, soft_dev/, lextree1.txt
Directory of folders in the UnitedLex data leak. Image: DataBreaches.net

From their statement to DataBreaches, the threat actors had clearly done some poring through the files to see what was in them so they write something likely to generate interest in the data leak. As one example, they pointed out that they had seen continuing agreement contracts between Computer Science Corporation and AMEX from 1992 until January 2027 with service fees information. They also mentioned merger documents between Hewlett Packard and DXC Technology (formerly known as Computer Science Corporation).

That they found a lot of confidential and proprietary information in files is not surprising, given the nature of UnitedLex’s business. But while the corporate aspects may be of interest to many people, DataBreaches is always more concerned about the human impact and disclosure of personal information. From DataBreaches’ own skimming of the files, there were personnel-related files that would likely require notification under U.S. state laws and EU data protection laws. d0nut also noted that they found files from Australia, Brazil, China, India, Indonesia, Israel, and Korea.

Many of the files DataBreaches skimmed were from 2017, but other files were more recent (2021). How many clients or former clients may need to be notified of this breach is something that may take UnitedLex time to figure out.

DataBreaches asked d0nut for clarification or additional details on a number of points about the incident, but has not received answers as yet. One point that they proactively disclosed to DataBreaches was that UnitedLex had engaged in some negotiations with them. According to d0nut’s spokesperson:

Through negotiation process with United Lex’s top management, we found out that most of their money were stored in Silicon Valley Bank. We also found an insurance with cyber crime coverage, but they refused to use this option. The sum we offered them to pay was 600,000, which is significantly lower than their insurance limit.

So why did negotiations fall apart? Or didn’t UnitedLex ever intend to pay?

DataBreaches also sent some inquiries to UnitedLex, but no reply was immediately received.

This post will be updated when more information becomes available.

Update1: UnitedLex provided DataBreaches with the following statement:

The security and integrity of our systems are of the utmost importance to us. We recently discovered suspicious activity on our network, immediately initiated our incident response protocols, engaged third-party forensic experts to determine the nature and scope of the activity, and notified the FBI.

Our systems are fully operational, and we have been in constant contact with our customers and employees about this incident and our investigation.

Update2:  According to d0nut leaks’ spokesperson, UnitedLex did detect the intrusion on the third day, and the threat actors were able to lock some servers, although they were not specific as to how many. When contacted by the threat actors, UnitedLex reportedly responded immediately by email.

d0nut had demanded a $5 million ransom, a significantly different demand than the $600,000 mentioned in negotiations.

Update3: In an escalation today, d0nut has started UnitedLex’s clients, beginning with DXC.com.  A copy of their email was provided to DataBreaches.  It states, in part:

According to the following statement of data protection from https://dxc.com/
website: “DXC as a “Service Provider” (as defined in the CCPA) confirms that it will process personal information which it retains, uses, or discloses in connection with its performance under any contract: (1) only on behalf of and for the benefit of the “Business” (as defined in the CCPA) from which it has received or on whose behalf it gathered the personal information; (2) only in accordance with the contract and Business’s prior written instructions, if any; unless (3) as otherwise required by the CCPA. DXC confirms that it will not process personal information for any purpose other than for the specific purpose of performing the services specified in the contract.”

So we decided to offer your management to protect your data for a fee. Please, contact us as soon as possible through following email [redacted by DataBreaches]. We will provide samples of documents related to DXC Technology which had been downloaded from United Lex’s network.

In case if you will completely ignore this message and we won’t see any emails from you – such actions will be regarded as an Agreement to further processing
of your data freely. have a good day!

The sample file, uploaded to a file-sharing site, contained 35 files that were mainly .pdf files and a few Excel files.

Update4: UnitedLex has been added to BlackCat’s leak site. DataBreaches is trying to determine if these are the same data D0nut Leaks have been leaking.

About the author: Dissent

Comments are closed.