LOS ANGELES: A cybercriminal ring claiming to have stolen a huge cache of data from a major media and entertainment law firm - whose clients include Bruce Springsteen, Madonna, Elton John and Lady Gaga - is demanding a US$21mil ransom payment, according to a published report.

New York-based Grubman Shire Meiselas & Sacks this week confirmed its computer systems were hacked, an incident that allegedly resulted in the theft of 756 gigabytes of private documents and correspondence. It has declined to comment further.

“We have notified our clients and our staff [of the cyberattack],” firm said in a statement to Variety. “We have hired the world’s experts who specialise in this area, and we are working around the clock to address these matters.”

The hackers issued a ransom demand of US$21mil to the law firm, the New York Post reported on May 12, citing an anonymous source. The attackers have threatened to gradually release batches of the purloined data if they don’t receive payment. The firm is not negotiating with the cyberattackers, while the FBI is said to be investigating the case, the Post reported.

On May 13, the group apparently responsible for the attack tried to share an initial 1-gigabyte collection of documents and files to the Mega file-upload service - however, the hackers’ account was terminated by Mega for violating terms of service, and the download link was disabled. In an online post, the hackers cited Coveware, a ransomware remediation firm, as the “sponsor” of their attempted document leak and taunted Grubman Shire Meiselas & Sacks by saying it was “a mistake to hire a recovery company in the negotiations”.

News of the hack surfaced last week. The attack on the law firm - whose client list spans music artistes, actors and TV personalities, sports stars, and media and entertainment companies - was carried out by a group called "REvil”, also known as "Sodinokibi”, according to cybersecurity firm Emsisoft. The group has previously targeted companies and organisations including Travelex, the UK-based currency-exchange company, which paid US$2.3mil in bitcoin to hackers after a ransomware attack, the Wall Street Journal reported.

The hackers alleged they have possession of information on the law firm’s clients past and present, including Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, Run DMC and Facebook. 

 - Reuters