A New Zealand law firm is investigating a cyber incident that has seen passport scans and other sensitive data linked to staff and clients posted online by the Anubis ransomware group, a Russian-linked ransomeware group with an increasingly menacing way of attacking organisations.
Langley Twigg Law, based in Napier, says a “small proportion” of its data was compromised in what it describes as a “malicious third-party attack.” The firm disclosed the incident on 26 January, a day after Anubis publicly claimed responsibility on its darknet leak site.
According to the firm, security monitoring tools detected unauthorised network activity on 11 January 2026, triggering an immediate response with its IT support provider.
The firm took its systems offline, disconnecting its network from the internet, and rebuilt systems from backup after additional security hardening, describing the intrusion as a “novel attack” that bypassed existing cyber controls.
Forensics, notifications and next steps
Langley Twigg has engaged digital forensics and cyber incident response specialists, who have confirmed that data was accessed and copied from the firm’s file server.
The compromised information includes internal operational data as well as some client documents, although the firm is still working to determine the precise scope.
The firm has notified the Office of the Privacy Commissioner and New Zealand Police, aligning with its privacy and regulatory obligations. It says affected clients will be contacted once the review of copied information is complete, warning that the process “may take some time” as investigations continue.
What the Anubis group is leaking
On its leak site, Anubis has listed Langley Twigg as a victim and claims to have exfiltrated financial and HR-related material from the firm. The group says the dataset includes financial reports, employee compensation records and associated documentation, along with staff passport details and other personal records.
To increase pressure, Anubis has published numerous employee passport scans and documents that appear to relate to firm clients, including property transaction records, hazard reports and settlement statements carrying Langley Twigg letterhead.
The detail in the leak post, and the apparent authenticity of the documents, is consistent with the group’s tactic of using sensitive data exposure to coerce victims and highlight alleged security failures.
Anubis: new but aggressive ransomware player
Anubis is a relatively new entrant to the ransomware-as-a-service ecosystem, first observed in February 2025 and linked to attacks on at least 46 organisations globally. Security researchers say the group appears to be Russian‑speaking and operates on a franchise model, providing ransomware tooling and infrastructure to affiliates.
IT experts say Anubis has an optional “wipe mode” feature which permanently erases the contents of the files, suggesting that the threat actor could wipe their victim’s files if the ransom is not paid.
Unlike some groups that post only high-level teasers, Anubis frequently publishes granular descriptions of stolen data and threatens regulatory fallout for victims as a pressure lever.
The group has also been known to impersonate journalists and offer “exclusive” access to stolen data as part of its extortion playbook, with its most recent ANZ victim before Langley Twigg being Queensland medical practice Laidley Family Doctors in December 2025.
