On April 21, 2026, the Anubis ransomware group claimed responsibility for a targeted attack on Samuel I. White, PC, a US-based law firm operating at samuelwhitepc.com. The threat actors have publicly threatened to leak exfiltrated legal data unless the firm enters ransom negotiations, marking another high-profile incident in the ongoing wave of ransomware operations against the legal sector.

What Happened

Anubis listed Samuel I. White, PC on its dark web leak site on April 21, 2026, characterizing the intrusion as a "significant breach at a law firm." The group's standard operating model involves double-extortion: encrypting victim systems while simultaneously exfiltrating sensitive data to use as leverage. The public listing on the leak site signals that initial private negotiations either failed or were never initiated, escalating the campaign to a public pressure phase. Samuel I. White, PC has not yet issued a public statement confirming or denying the breach.

What Was Taken

Anubis has not yet published sample data or specified the volume of records exfiltrated, but the group's threat to "leak sensitive legal data" indicates that document repositories, case files, or client communications were accessed during the intrusion. Law firms typically hold highly sensitive material including privileged attorney-client correspondence, financial records tied to real estate and foreclosure matters (Samuel I. White, PC has historically focused on creditor representation and default services), personally identifiable information for thousands of borrowers and homeowners, and confidential litigation strategy documents. The full scope of the data theft will likely become clearer if Anubis publishes proof samples in the coming days.

Why It Matters

Law firms remain among the most attractive targets for extortion-focused ransomware crews because the data they hold is uniquely sensitive and the legal and reputational consequences of exposure create strong incentives to pay. A breach at a creditor-focused practice like Samuel I. White, PC carries downstream risk for every financial institution, mortgage servicer, and individual borrower whose records may have been processed by the firm. Anubis has demonstrated continued operational tempo in 2025 and 2026, distinguishing itself with an unusual affiliate model that includes a data monetization program, allowing operators to sell stolen data even when victims refuse to pay, which raises the long-tail risk for victims and their clients alike.

The Attack Technique

Public details on the initial access vector for this specific incident have not been disclosed. Anubis affiliates have historically relied on a mix of phishing, exploitation of internet-facing services such as VPN appliances and remote management tools, and the purchase of valid credentials from infostealer log markets. After gaining a foothold, operators typically conduct internal reconnaissance, escalate privileges via tools like Mimikatz, move laterally across the network using legitimate administrative protocols, and stage data for exfiltration before deploying the encryption payload. Indicators of compromise specific to this intrusion have not been published.

What Organizations Should Do

• Assume credentials are exposed: Audit dark web and infostealer log sources for leaked employee or contractor credentials tied to your domain, and force resets on any matches.
• Enforce phishing-resistant MFA: Require hardware-backed or FIDO2 authentication on all external-facing services including VPN, email, and remote access portals to neutralize credential reuse attacks.
• Validate offline, immutable backups: Confirm that backups exist outside the production domain, are tested for restoration, and cannot be deleted or encrypted by a domain-privileged attacker.
• Hunt for known Anubis TTPs: Review endpoint and network telemetry for evidence of credential dumping tools, abnormal use of PsExec or RDP, and unauthorized cloud storage uploads consistent with staging and exfiltration.
• Segment sensitive document stores: Apply strict access controls, logging, and DLP monitoring to file shares and document management systems containing privileged client data.
• Prepare a legal and communications playbook: Engage outside counsel, incident response retainers, and notification specialists in advance so that any decision around negotiation or disclosure is made with proper guidance, not under duress.

Sources: Anubis Ransomware Targets Samuel I. White, PC in Major Cyberattack - DeXpose