{ "id": "6b168e69-5324-4e37-ac1d-74b3fc7a3a02", "created_at": "2026-04-06T00:14:12.457843Z", "updated_at": "2026-04-10T03:29:40.130702Z", "deleted_at": null, "sha1_hash": "a4950fe0bcaf2f444e62a6d2ef9cc0046dacab05", "title": "Legal services platform used by SEC, Pentagon investigating ransomware attack claims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70851, "plain_text": "Legal services platform used by SEC, Pentagon investigating\r\nransomware attack claims\r\nBy Jonathan Greig\r\nPublished: 2023-06-02 · Archived: 2026-04-05 14:05:26 UTC\r\nA legal document platform used by several arms of the U.S. government is investigating claims by a ransomware\r\ngroup that it has been attacked.\r\nCasepoint, based outside of Washington, D.C., provides organizations with a platform to post legal documents for\r\nlitigation, investigations and compliance.\r\nIn April the company signed a five-year deal with the United States Courts Defender Services Office and provides\r\nservices to the Securities and Exchange Commission, the U.S. Department of Defense, the U.S. Department of\r\nVeterans Affairs, the USDA, Marriott and more.\r\nBut this week, the BlackCat/AlphV ransomware group added Casepoint to its list of victims, sharing several\r\nsensitive documents allegedly related to the FBI and claiming to have access to the company's network.\r\nJames Lasson, Casepoint’s vice president of marketing, initially told Recorded Future News that there was “no\r\nvalidation that a breach has occurred.”\r\n“We have not heard anything from the cyber group for a ransom. We have not seen any unusual activity on our\r\nnetworks that would suggest out of the ordinary data movement off our systems. We are working with the FBI to\r\ndetermine the appropriate next steps,” he said.\r\n“SEC, DOD and other government clients are on a different network than our commercial clients.”\r\nIn a follow-up statement, a spokesperson for the company said it activated its incident response protocols on\r\nTuesday and hired a forensic firm to help investigate the allegations. The firm is serving “as an extra set of eyes\r\non the remediation work we’ve already performed to date,” the company said.\r\nBut they reiterated that the company is fully operational and has not experienced any disruption to its services. Its\r\nclients have been able to continue using the platform as usual, they added.\r\nThe forensic firm is in the process of running scans and deploying advanced endpoint detection monitoring tools,\r\nlooking for signs of suspicious activity.\r\n“We are early on in our investigation and are committed to keeping our clients informed as we learn more,” the\r\nspokesperson said.\r\n“We’re on top of it, and we know transparency and proactivity is key to a good response to these types of matters.\r\nWe appreciate the trust our customers and employees put in Casepoint and will do everything we can to continue\r\nearning it.”\r\nhttps://therecord.media/casepoint-legal-tech-platform-investigating-ransomware-attack-claims-blackcat\r\nPage 1 of 2\n\nThe company did not respond to follow-up questions asking whether the documents leaked by the ransomware\r\ngang were legitimate and came from the platform.\r\nBlackCat claimed to have 2 terabytes of data from Casepoint and provided a wide variety of samples. The gang\r\nhas in the past claimed to attack major companies like Ring that were later denied by victims.\r\nMany experts said the hackers associated with the ransomware gang were also the people behind the Darkside\r\nransomware group – which was responsible for the cyberattack on Colonial Pipeline.\r\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/casepoint-legal-tech-platform-investigating-ransomware-attack-claims-blackcat\r\nhttps://therecord.media/casepoint-legal-tech-platform-investigating-ransomware-attack-claims-blackcat\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/casepoint-legal-tech-platform-investigating-ransomware-attack-claims-blackcat" ], "report_names": [ "casepoint-legal-tech-platform-investigating-ransomware-attack-claims-blackcat" ], "threat_actors": [ { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434452, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4950fe0bcaf2f444e62a6d2ef9cc0046dacab05.pdf", "text": "https://archive.orkl.eu/a4950fe0bcaf2f444e62a6d2ef9cc0046dacab05.txt", "img": "https://archive.orkl.eu/a4950fe0bcaf2f444e62a6d2ef9cc0046dacab05.jpg" } }