Skip to main content

Ransomware victim disclosure

All victims

Law Offices of Michael A. Freedman, P.A. (maflaw.com)

Claimed by Aurora · listed 3 months ago

2m
Age
since listed · data leaked

Status timeline

  1. ListedApr 29, 2026
  2. Data leakeddate unknown

At a glance

Group
Aurora
Status
Data leaked
Listed on leak site
Apr 29, 2026

About the victim

AI dossier — public-source company profile

The Law Offices of Michael A. Freedman, P.A. is a plaintiffs' personal injury law firm based in Maryland with offices in Owings Mills and Glen Burnie, serving the Mid-Atlantic region. The firm specializes in auto accidents, motorcycle accidents, workers' compensation, wrongful death, and DUI/DWI hearings, with over 40 years of experience. It also operates a secondary invention-promotion consulting business (Universal Licensing / Freedman Consulting) under the same EIN.

Industry
Personal Injury & Criminal Defense Law
Address
Offices in Owings Mills, MD and Glen Burnie, MD, USA
Employees
25

Attack summary

Severity: critical — The breach involves mass exfiltration of HIPAA-regulated medical records, attorney–client privileged communications across hundreds of client matters, plaintext banking credentials with electronic payment authority, a master password vault, staff credential exports enabling cross-system compromise, and criminal defense materials with Sixth Amendment privilege implications — representing one of the most sensitive possible combinations of regulated PII, financial, and legally privileged data.

The Aurora ransomware group claims to have exfiltrated approximately 579 GB (196,701 files across 19,231 directories) from the firm's systems, including client medical records, privileged legal communications, banking credentials, and staff password files. No encryption claim is explicitly stated; the disclosure focuses on data exfiltration and publication of sensitive materials.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • Client medical records and HIPAA authorizations
  • Police reports and settlement releases
  • IOLTA distribution sheets
  • Retainer agreements
  • Attorney–client privileged email archives (Outlook PST files)
  • Settlement strategy and opposing-counsel communications
  • Sage ACT! Pro contact database (~5,000–12,000 contacts)
  • Plaintext banking credentials (M&T Bank, Bank of America)
  • Paychex and QuickBooks credentials
  • Firm federal EIN
  • Master credential vault document with plaintext passwords
  • Staff browser-exported password CSV (32 plaintext credentials)
  • M365 and Slack tenant credentials
  • Hospital portal credentials (MedStar, GBMC)
  • Invention disclosure documents and NDAs
  • Exclusive Patent License Agreement drafts
  • Per-inventor client-company passwords
  • Criminal defense client retainer agreements and court documents
  • Axon body-worn-camera footage (448 MB clip)

What the group claims

[law] Law Offices of Michael A. Freedman, P.A. (maflaw.com). The exfiltrated corpus is 579 GB used / 143 GB at root level / 196,701 files / 19,231 directories, dated as recently as a year-2026-in-progress client matter. What this means for a plaintiffs' PI firm of ~25 staff: 656 client-matter folders organised across eight yearly parents from June 2019 through 2026-in-progress. Per-client medical records, HIPAA authorisations, police reports, settlement releases, IOLTA distribution sheets, retainer agreements, and treating-provider correspondence. Two staff Outlook archives at 2.1 GB each, plus a 505 MB Outlook backup, plus 27 enumerated .pst files — years of attorney–client privileged correspondence, settlement strategy, opposing-counsel comms. The complete Sage ACT. Pro v18 contact universe — the live database plus eight historical ZIP backups going back to 2013 plus a 9.3 MB plaintext export (ACT!-Contacts.txt) that any text editor can open. Estimated 5,000–12,000 contacts. The firm's master credential vault in a Word document called Woodywoody78!.docx (the filename is itself the vault password). Plaintext credentials for M&T Bank multi-identity business + commercial accounts (with electronic-payment-approval authority), Bank of America, Paychex, QuickBooks, and the firm's federal EIN. Plus the senior partner's phone-unlock PIN. A staff browser-exported password CSV (32 plaintext credentials) including the M365 tenant, the Slack tenant, hospital portals (MedStar, GBMC, Allstate secure mail), MoveDocs, ChartRequest, MSHC Legal portal — plus residual credentials from prior employers SLF Law and Bailey Law, creating cross-firm contamination liability. The Universal Licensing / Freedman Consulting invention-promotion operation — a second line of business under the same EIN, with hundreds of inventor folders. Per-inventor unpublished invention disclosures, “Internet Presentation of Invention” decks, NDAs, Exclusive Patent License Agreement drafts, patent-art renderings, and per-managed-mailbox client-company passwords. A criminal-defense sub-practice (“SLF criminal” out of Janice's working folder) with retainer agreements and per-client court documents, carrying 6th-Amendment-attorney–client uplift on the privileged-track scoring. An Axon evidence.com MPIA-released body-worn-camera package (449 MB total; a 448 MB clip from the 2020-12-20 Park Baltimore incident).

Sources

Source

Indexed 3 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About aurora

Aurora is a recently emerged ransomware group first observed in April 2026, operating with apparent financial motivations through targeted attacks across multiple sectors. Given its recent emergence, limited public documentation exists regarding the group's specific country of origin or affiliations with established ransomware operations, though its targeting patterns suggest a professional operation potentially operating as an independent entity rather than a known Ransomware-as-a-Service model. The group has demonstrated a preference for attacking business-critical sectors including business services, consumer services, manufacturing, healthcare, and financial services, with documented attacks spanning the United States, Canada, the Maldives, and Great Britain, though specific initial access vectors and technical methodologies remain undocumented by major threat intelligence firms. With only seven known victims documented since April 2026, Aurora represents a relatively small-scale operation compared to established ransomware families, though its cross-sector targeting approach and international victim scope indicate deliberate selection criteria rather than opportunistic attacks. The group remains active as of current reporting, though the limited victim count and recent emergence suggest either a highly selective targeting approach or a nascent operation still developing its operational capabilities. The group has been linked to 21 public disclosures across our corpus. First observed on a leak site on April 29, 2026; most recent post June 30, 2026. The operation is currently active.

Timeline of this disclosure

  • April 29, 2026Law Offices of Michael A. Freedman, P.A. (maflaw.com) listed by auroraon the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Business Services sector, which has 3,796 disclosures indexed across all operators we track. Geographically, Law Offices of Michael A. Freedman, P.A. (maflaw.com) is reported in United States, a country with 3,115 ransomware disclosures in our corpus.

If your organisation is affected

A listing by aurora means Law Offices of Michael A. Freedman, P.A. (maflaw.com) appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Report the incident to your national CERT, CISA (United States), as required for your jurisdiction.
  • Monitor for the data appearing on aurora's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.