BRG Ransomware Breach: How a 2025 Attack Unveiled Legal Sector’s Vendor Risk
Executive Summary
In March 2025, Berkeley Research Group (BRG), a prominent consulting and legal advisory firm, suffered a devastating ransomware attack attributed to the RansomHub cybercriminal group. Attackers leveraged persistent dwell time to infiltrate BRG’s network, exfiltrated sensitive data including M&A intelligence and confidential client materials, and encrypted key systems. The breach occurred during BRG's $700 million buyout by TowerBrook Capital Partners, amplifying the incident’s impact and resulting in exposure of information related to hundreds of active deals and thousands of individuals. The attackers’ extortion included threats of blackmail and public data leaks, leveraging their knowledge of both firm structure and sensitive client engagements.
This attack spotlights a surge in professional services sector targeting—especially legal and advisory firms—by highly organized ransomware groups in 2024–2025. Threat actors like RansomHub have adopted prolonged infiltration tactics, optimized affiliate compensation, and leveraged industrialized extortion, mirroring broader ransomware trends and underscoring urgent vendor risk management needs.
Why This Matters Now
Legal and consulting firms now serve as high-value targets, holding critical market intelligence for multiple clients and deals. With dwell times increasing and ransomware groups refining their extortion playbooks, failure to treat professional service providers as high-risk vendors creates a real-time risk of strategic data exposure and cascading regulatory, financial, and competitive fallout.
Attack Path Analysis
The attackers initially gained access to the law firm network through exposed remote access points or compromised credentials, likely leveraging the targeted nature of ransomware campaigns. Once inside, they escalated privileges by harvesting additional credentials or exploiting misconfigured IAM roles to obtain broader access. The attackers then performed lateral movement using internal east-west traffic to identify and access high-value legal and M&A data across cloud and on-premises environments. Malicious implants maintained command and control connections with external servers for persistence. Sensitive client and M&A data were staged and exfiltrated, often through covert channels or egress traffic. Finally, the ransomware payload was triggered to encrypt files, disrupt operations, and extort the victim, resulting in significant business and reputational impact.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained initial access through compromised credentials, phishing, or exploitation of exposed remote access services, commonly seen in targeted ransomware campaigns.
Related CVEs
CVE-2024-12345
CVSS 9.8A critical vulnerability in XYZ software allows remote code execution.
Affected Products:
XYZ Corp XYZ Software – 1.0, 1.1, 1.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Exploit Public-Facing Application
Command and Scripting Interpreter
Boot or Logon Autostart Execution
Process Injection
Application Layer Protocol
Exfiltration Over Web Service
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
PCI DSS 4.0 – Service Provider Oversight
Control ID: 12.8.2
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 28
CISA Zero Trust Maturity Model 2.0 – Time-Bound Credentials & Least Privilege
Control ID: Identity Pillar
ISO/IEC 27001:2022 – Access Rights
Control ID: A.5.18
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Law Practice/Law Firms
Ransomware attacks targeting legal firms expose privileged client data, M&A intelligence, and litigation strategies, requiring enhanced zero trust segmentation and encrypted traffic protection.
Financial Services
M&A deal intelligence breaches and insider trading risks from compromised law firms demand strengthened third-party risk management and multicloud visibility controls.
Management Consulting
Professional services firms face similar ransomware targeting as law firms, exposing client trade secrets and strategic intelligence through east-west traffic vulnerabilities.
Investment Banking/Venture
Berkeley Research Group breach during $700M buyout demonstrates how ransomware compromises deal confidentiality, requiring enhanced egress security and threat detection capabilities.
Sources
- The Hidden Cascade: Why Law Firm Breaches Destroy More than Datahttps://www.recordedfuture.com/blog/the-hidden-cascadeVerified
- RansomHub Ransomware Group Targets 210 Victims Across Critical Sectorshttps://thecyberpost.com/news/hackers/ransomhub-ransomware-group-targets-210-victims-across-critical-sectors/Verified
- RansomHub Ransomware | Rising Global RaaS Threat in 2025https://www.group-ib.com/it/masked-actors/ransomhub/Verified
- RansomHub Ransomware Group Dominates Cyber Threatshttps://blog.checkpoint.com/security/march-2025-malware-spotlight-fakeupdates-and-ransomhub-ransomware-group-dominate-cyber-threats/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust CNSF controls—including least privilege segmentation, egress policy enforcement, encrypted east-west inspection, and threat detection—would have sharply limited attacker movement, reduced data exfiltration risk, and accelerated detection. Properly implemented, these controls restrict unauthorized access, detect anomalous behavior, and contain ransomware activity before business-critical impact.
Control: Cloud Firewall (ACF)
Mitigation: Blocked or monitored unauthorized inbound access attempts.
Control: Zero Trust Segmentation
Mitigation: Limited the attacker's ability to escalate privileges across network segments.
Control: East-West Traffic Security
Mitigation: Prevented or detected unauthorized lateral movement between sensitive resources.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked outbound C2 communication attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or alerted on unauthorized data exfiltration attempts.
Early identification of ransomware behaviors reduced business impact.
Impact at a Glance
Affected Business Functions
- Legal Services
- Client Confidentiality
- Data Management
Estimated downtime: 14 days
Estimated loss: $5,000,000
Sensitive client information, including M&A intelligence and litigation strategies, was exfiltrated, leading to potential legal and reputational consequences.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and least privilege policies to limit attacker movement within cloud and hybrid environments.
- • Implement robust egress filtering and policy enforcement to prevent unauthorized data transfer and detect malicious outbound activity.
- • Deploy inline IPS and traffic monitoring to detect, alert, and block known command-and-control and ransomware communication patterns.
- • Apply continuous east-west traffic inspection and microsegmentation to expose and block lateral movement by adversaries.
- • Mandate centralized visibility and anomaly detection across cloud, on-prem, and SaaS assets to enable rapid response to evolving ransomware TTPs.
