Exclusive: WA law firm confirms cyber attack following Anubis ransomware claims

“Today, we will not be discussing the scale of large corporations and millions, but rather the fates of ordinary families who turned to this company in the hope of finding a solution to the difficult life situations they found themselves in.”

The sample Anubis posted is split up into three categories: client financial data, client business data, and personal data.

“In order to effectively resolve family disputes, lawyers often need extensive information about the financial situation of each party. This includes not only data on income and expenses, but also information about property, assets, and liabilities. You will find all of this in this data breach,” Anubis added.

The financial data included superannuation statement forms, a crypto wallet screenshot, “Pay Advice”, and tax information with the government of Western Australia’s Fire and Emergency Services department.

Anubis then posted company data belonging to a client’s businesses, which included correspondence between it and another company, financial documents and more.

Finally, Anubis leaked personal data relating to one client, including private correspondence between him and his family.

VIEW ALL

“In addition to financial information, much more intimate data was also leaked – correspondence, personal messages, and other details of family relationships,” said Anubis.

The sample includes text screenshots between the client and his family members, relating to familial disputes, as well as emails and a screenshot of a Facebook post.

“Families going through divorce, adoption, or child custody disputes are often under a great deal of stress. The company may have helped solve their problems, but no one expected it to become a source of new stress for its clients,” Anubis added.

It is currently unclear how many clients were impacted by the incident. Anubis has yet to publicly set a ransom payment amount.

In response to Cyber Daily’s request for commentary, a spokesperson from Paterson & Dowding confirmed that data had been accessed and exfiltrated.

“We recently experienced a cyber incident that impacted our firm. As soon as we became aware of unusual activity on our system, we took immediate action to engage external experts, contain the incident and commence an urgent investigation,” the spokesperson said.

“Unfortunately, at this early stage of our investigation, we have identified that a subset of personal information was accessed and taken by an unauthorised third party. We are also aware that some information has been published externally by the unauthorised third party, and we are urgently investigating the nature and extent of this data.

“We are urgently notifying all clients and staff and outlining precautionary steps they can take to protect their information. We will continue to support our clients and staff.

“We have notified the Office of the Information Commissioner and the Australian Cyber Security Centre. We are committed to adhering to our regulatory obligations.

“We take the privacy of our clients and staff very seriously, and we sincerely apologise for any concern or inconvenience this incident has caused.”

A “journalist” for Anubis ransomware using the alias Tobias Keller, who also claimed to run the ransomware gang, reached out to Cyber Daily detailing the incident, as part of a longer discussion covering other listings made by the threat group.

In reference to Cyber Daily’s coverage of other Australian victims, Pound Road Medical Centre and Aussie Fluid Power, Keller announced that Paterson & Dowding was part of a wave of four law firms that the group would list on the dark web.

“This time there will be leaks from four different law firms in a row. We will publish two now and two in a few days. And of course we’ll start with Paterson & Dowding Family Lawyers – an Australian firm,” Keller told Cyber Daily.

“Paired with them we’ll put Goodfellow & Schuettlaw – their fellow victims. Two more firms will be published shortly to stoke audience interest.”

Goodfellow & Schuettlaw, a Canadian law firm, was listed at the same time as Paterson & Dowding, with a similar dramatic description and detailed data sample. It is currently unknown what other two law firms were allegedly breached.

In their email to Cyber Daily, Keller then alleged that the law firms “didn’t care about cyber security” and accused IT members of wrongdoing.

Anubis has a tendency to exaggerate its accusations on victims to increase pressure. After listing its first Australian victim, Pound Road Medical Centre, at the beginning of the year, the group claimed that the medical centre had engaged in medical malpractice in a number of instances, a claim that they never backed up.

Additionally, unlike many ransomware actors, Anubis uses its leak posts to outline in detail the data stolen from its victims, focusing on exposing what it believes is sensitive data to further coerce and shame its victims.

The group also offers media access to exclusive data and poses as journalists to apply additional pressure.

Keller first reached out to Cyber Daily following coverage of the cyber incident impacting Aussie Fluid Power.

“Good day, Cyber Daily team! I am working with the Anubis-RaaS group as a journalist,” the hacking group told Cyber Daily via email.

“Please note the leak in Australia: Aussie Fluid Power. More victims from Australia, law firms, and many others will be published in the near future. If you are interested, we can provide you with the information first.”

When asked about their motivation, the individual claimed to be the leader of the Anubis group, before admitting that it was an attempt to pressure its victim.

“The company suffers the most damage when we send information about the leak to various regulatory authorities,” the Anubis spokesperson said.

Anubis is a relative newcomer to the ransomware ecosystem, with just over 20 victims listed on its leak site since it went live in February 2025. According to security researchers, the gang appears to be Russian speakers and is a ransomware-as-a-service operation.