Ransomware victim disclosure

Law Offices of Michael A. Freedman, P.A. (maflaw.com)

Claimed by aurora · listed 21 days ago

21d

Age

since listed · data leaked

Status timeline

Listed
Apr 29, 2026
Data leaked

At a glance

Group: aurora
Status: Data leaked
Country: US
Sector: Business Services
Listed on leak site: Apr 29, 2026

About the victim

AI dossier — public-source company profile

The Law Offices of Michael A. Freedman, P.A. is a plaintiffs' personal injury law firm based in Maryland with offices in Owings Mills and Glen Burnie, serving the Mid-Atlantic region. The firm specializes in auto accidents, motorcycle accidents, workers' compensation, wrongful death, and DUI/DWI hearings, with over 40 years of experience. It also operates a secondary invention-promotion consulting business (Universal Licensing / Freedman Consulting) under the same EIN.

Industry: Personal Injury & Criminal Defense Law
Address: Offices in Owings Mills, MD and Glen Burnie, MD, USA
Employees: 25

Attack summary

Severity: critical — The breach involves mass exfiltration of HIPAA-regulated medical records, attorney–client privileged communications across hundreds of client matters, plaintext banking credentials with electronic payment authority, a master password vault, staff credential exports enabling cross-system compromise, and criminal defense materials with Sixth Amendment privilege implications — representing one of the most sensitive possible combinations of regulated PII, financial, and legally privileged data.

The Aurora ransomware group claims to have exfiltrated approximately 579 GB (196,701 files across 19,231 directories) from the firm's systems, including client medical records, privileged legal communications, banking credentials, and staff password files. No encryption claim is explicitly stated; the disclosure focuses on data exfiltration and publication of sensitive materials.

critical

Data the group says was taken

AI dossier — extracted from the leak post

Client medical records and HIPAA authorizations
Police reports and settlement releases
IOLTA distribution sheets
Retainer agreements
Attorney–client privileged email archives (Outlook PST files)
Settlement strategy and opposing-counsel communications
Sage ACT! Pro contact database (~5,000–12,000 contacts)
Plaintext banking credentials (M&T Bank, Bank of America)
Paychex and QuickBooks credentials
Firm federal EIN
Master credential vault document with plaintext passwords
Staff browser-exported password CSV (32 plaintext credentials)
M365 and Slack tenant credentials
Hospital portal credentials (MedStar, GBMC)
Invention disclosure documents and NDAs
Exclusive Patent License Agreement drafts
Per-inventor client-company passwords
Criminal defense client retainer agreements and court documents
Axon body-worn-camera footage (448 MB clip)

What the group claims

[law] Law Offices of Michael A. Freedman, P.A. (maflaw.com). The exfiltrated corpus is 579 GB used / 143 GB at root level / 196,701 files / 19,231 directories, dated as recently as a year-2026-in-progress client matter. What this means for a plaintiffs' PI firm of ~25 staff: 656 client-matter folders organised across eight yearly parents from June 2019 through 2026-in-progress. Per-client medical records, HIPAA authorisations, police reports, settlement releases, IOLTA distribution sheets, retainer agreements, and treating-provider correspondence. Two staff Outlook archives at 2.1 GB each, plus a 505 MB Outlook backup, plus 27 enumerated .pst files — years of attorney–client privileged correspondence, settlement strategy, opposing-counsel comms. The complete Sage ACT. Pro v18 contact universe — the live database plus eight historical ZIP backups going back to 2013 plus a 9.3 MB plaintext export (ACT!-Contacts.txt) that any text editor can open. Estimated 5,000–12,000 contacts. The firm's master credential vault in a Word document called Woodywoody78!.docx (the filename is itself the vault password). Plaintext credentials for M&T Bank multi-identity business + commercial accounts (with electronic-payment-approval authority), Bank of America, Paychex, QuickBooks, and the firm's federal EIN. Plus the senior partner's phone-unlock PIN. A staff browser-exported password CSV (32 plaintext credentials) including the M365 tenant, the Slack tenant, hospital portals (MedStar, GBMC, Allstate secure mail), MoveDocs, ChartRequest, MSHC Legal portal — plus residual credentials from prior employers SLF Law and Bailey Law, creating cross-firm contamination liability. The Universal Licensing / Freedman Consulting invention-promotion operation — a second line of business under the same EIN, with hundreds of inventor folders. Per-inventor unpublished invention disclosures, “Internet Presentation of Invention” decks, NDAs, Exclusive Patent License Agreement drafts, patent-art renderings, and per-managed-mailbox client-company passwords. A criminal-defense sub-practice (“SLF criminal” out of Janice's working folder) with retainer agreements and per-client court documents, carrying 6th-Amendment-attorney–client uplift on the privileged-track scoring. An Axon evidence.com MPIA-released body-worn-camera package (449 MB total; a 448 MB clip from the 2020-12-20 Park Baltimore incident).

Sources

Victim sitemaflaw.com
Leak posthttp://u6lieui2dakbctcjea2bz4r4q32r7t36nwljovqbv7mxs6o2smgxixid.onion/blog/maflaw-8a603f4b

Source

Indexed 21 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Disclosure context

About aurora

Timeline of this disclosure

Other recent disclosures by aurora

Sector and geography