Legal and Law Enforcement Responses to Data Breach Platforms and Ransomware Incidents
HWL Ebsworth, a prominent Australian law firm, suffered a ransomware attack by the ALPHV (BlackCat) group, resulting in the exfiltration of sensitive client data. In response, the firm obtained a court injunction intended to prevent the hackers from publishing or sharing the stolen data, as well as to restrict its dissemination by third parties, including journalists and security researchers. Despite being served with the injunction, the threat actors openly mocked the legal action and proceeded to release a substantial amount of the compromised data online, demonstrating the limited practical effect of such legal measures on criminal actors. The injunction, however, provided a legal basis for HWL Ebsworth to request that online platforms refrain from hosting or distributing the stolen data, potentially limiting its spread among legitimate entities. This case highlights the challenges organizations face in controlling the aftermath of a data breach, especially when dealing with transnational cybercriminals who are unlikely to respect legal orders. The incident also raises concerns about the balance between protecting sensitive information and the ability of journalists and security professionals to analyze and report on breaches for the public good. Meanwhile, law enforcement agencies continue to target cybercrime infrastructure, as evidenced by the recent seizure of BreachForums, a notorious platform for trading stolen data. The seizure was carried out by a coalition of U.S. and French authorities, including the Department of Justice, FBI, BL2C, and JUNALCO, and resulted in the takedown of both the clear net and onion versions of the forum. At the time of the seizure, the group ScatteredLAPSUS$Hunters was threatening to leak data from 39 Salesforce customers unless a ransom was paid, with high-profile companies such as Qantas, Air France & KLM, Disney/Hulu, UPS, FedEx, Home Depot, Gucci, and Toyota Motors among the potential victims. The law enforcement action included changing the name servers of the forum's domains to those controlled by the FBI, effectively cutting off access to the site and its backup domains. Despite these efforts, some elements of the criminal infrastructure, such as alternative onion sites, remained operational, illustrating the resilience and adaptability of cybercriminal networks. The seizure of BreachForums was met with mixed reactions in underground communities, with some users expressing defeat and others urging continued resistance. These events underscore the ongoing cat-and-mouse dynamic between cybercriminals and law enforcement, as well as the limitations of both legal and technical interventions in fully mitigating the risks and impacts of major data breaches. Organizations targeted by ransomware and data theft must navigate a complex landscape of legal, technical, and reputational challenges in their response efforts. The effectiveness of court injunctions and law enforcement takedowns is often constrained by the global and decentralized nature of cybercrime. Both incidents demonstrate the need for comprehensive, multi-layered strategies to address the evolving threat landscape and protect sensitive data from exposure and misuse.
Sources
Related Stories
Law Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
5 months ago
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
1 weeks agoRansomware Recovery Challenges and the Shift to Targeted Attacks
Ransomware attacks continue to pose a significant threat to organizations, with recent surveys indicating that paying the ransom does not guarantee successful data recovery. According to Hiscox’s Cyber Readiness Report, only 60% of companies that paid a ransom were able to recover all or part of their data, while 40% lost their data despite payment. The technical sophistication of ransomware operators varies, with established groups more likely to provide functional decryptors, but many victims still face flawed encryption or unresponsive attackers. Additionally, the frequency of ransomware incidents has surged, with reports showing a near tripling of cases year-over-year in early 2025, and a majority of victims experiencing data theft even after paying ransoms. The ransomware landscape has evolved from high-volume, opportunistic attacks to a "big game hunting" model, where adversaries selectively target organizations with the most to lose and the greatest ability to pay. New criminal syndicates such as Spoiled Scorpius (RansomHub) and Howling Scorpius (Akira) are conducting sophisticated, long-term campaigns against high-value targets, often employing multi-extortion tactics that combine data encryption with threats of public exposure. This strategic shift has transformed ransomware from a purely IT issue into a critical business continuity threat, requiring organizations to adopt new defensive strategies and prepare for more calculated, high-impact attacks.
4 months ago