Organizations in the Legal industry, such as law firms, rely on IT for many of their critical operations. The very nature of this industry makes them prime candidates for ransomware attacks. Law firms and other legal businesses handle high volumes of sensitive client data that threat actors perceive as valuable.

By locking down IT systems and important data with malware that encrypts these resources, ransomware groups demand a payment to decrypt the compromised assets. This article looks at ransomware in the Legal industry by focusing on recent high-profile incidents and offers some best practices for becoming more resilient to attacks.

Ransomware in the Legal Sector: The Statistics

Ransomware is a significant issue in the cyber threat landscape for the legal sector. Here are some of the statistics that shed light on the scale of the problem:

• One report found that the most notable change in industries impacted by ransomware attacks in Q1 2021 was the professional services industry, specifically law firms.
• Malicious emails (phishing) from which ransomware attacks often originate are up 600% due to COVID-19.
• The average ransom payment demanded by successful attackers grew sharply from $5,000 in 2018 to $200,000 in 2021.

High-Profile Ransomware Attacks on Law Firms

Ward Hadaway, UK: April 2022

Ward Hadaway is a major law firm based in the UK.  They reported in April 2022 that they had been hit by a ransomware attack.  Details of the attack were limited, but the company did report that the criminals demanded a ransom of $3 million in Bitcoin or threatened to release what they said was a tranche of highly sensitive data.  The criminals said that the ransom would double to $6 million if not paid within one week.  The company reported the attack to the UK's National Cyber Security Centre and the local police.  It is not known if the confidential data was ever released or if any ransom was ever paid.

4 New Square: June 2021

4 New Square is a London-based commercial barristers' (lawyers) Chambers. In June 2021, reports emerged that the organization was targeted by a ransomware attack that involved blackmailing the company to avoid having its sensitive data exposed online.

An intriguing aspect of this attack was that 4 New Square obtained a United Kingdom High Court injunction that ordered the perpetrators not to "use, publish or communicate or disclose to any other person any of the (unspecified) data they stole.” This is an incident worth following closely to see whether the stolen data ultimately gets released on the dark web. As of the time of writing, it appears the injunction has been surprisingly effective because no reports have come to light about 4 New Square data appearing online.

Campbell Conroy & O'Neil: February 2021

Campbell Conroy & O'Neil, P.C. is a large law firm that works with A-list clients such as Ford, Boeing, and Walgreens. A July 2021 press release revealed that the organization became the victim of a ransomware attack in February 2021. The press release stated that “the network was impacted by ransomware, which prevented access to certain files on the system.”

It appears that a range of sensitive information about individuals was accessed during the attack. The breached information included names, dates of birth, driver's license numbers, financial account information, Social Security numbers, and payment card information. To minimize the reputational damage from this attack, the firm is offering 2 years of complimentary access to credit monitoring, fraud consultation, and identity theft restoration services for affected individuals.

Jones Day: February 2021

The notorious Clop ransomware group could count law firm Jones Day among its victims after a successful February 2021 ransomware attack. Reports suggest that the method of attack was through exploiting a zero-day vulnerability in the Accellion file transfer service.

This previously undiscovered vulnerability provided an entry point to steal sensitive data belonging to Jones Day. Interestingly, the Clop group didn’t even bother encrypting the sensitive information; they used the vulnerability to simply steal data and demand a ransom for its return. After Jones Day failed to respond to ransom demands, stolen information began appearing on the dark web.

Grubman Shire Meiselas & Sacks: May 2020

One of the most high-profile ransomware incidents across all sectors in 2020 was the ransomware attack on the entertainment law firm, Grubman Shire Meiselas & Sacks (GSMS). The company counts A-list celebrities such as Lady Gaga, Madonna, Bruce Springsteen, and Elton John among its clients. Data belonging to these high-profile clients was compromised in the attack.

The REvil group was behind this incident, and they set the ransom demand at $42 million. The impact on GSMS was severe because not only was privileged data exfiltrated, but key IT systems were also encrypted, which disrupted operations. The privileged data included nondisclosure agreements, phone numbers, email addresses, and private correspondence.

Improving Cyber Resilience in the Legal Sector

Improving cyber resilience across the legal sector is critical in mitigating the potentially severe financial and reputational impacts of ransomware. The torrent of attacks faced by legal organizations shows no sign of abating as ransomware becomes more accessible to any malicious party willing to pay for a ransomware-for-hire service. Here are some actionable tips to prevent and mitigate ransomware.

Invest in Phishing Defenses

Phishing is a low-cost and high-reward practice that often provides an entry point for successful ransomware attacks to infiltrate a network. A threat actor sends a convincing email and gets a victim to download malicious software either via an attachment or a link.

Effective defense mechanisms against phishing include the following:

• Investing in an advanced email security solution: Phishing emails are more convincing than ever, often using personal details gleaned from social media. It is critical to have an email security solution in place that makes it difficult for phishing emails to ever reach employee inboxes. This solution could include the ability to filter suspicious emails and use anti-spoofing controls.
• Minimizing external information: Prospective clients naturally want to see the people they will be doing business with when using legal services. However, it is prudent not to reveal too much information on a public-facing resource, such as the company website or social media. Threat actors often turn to websites and social media to find out information about key company stakeholders that can help them craft more targeted phishing emails.
• Phishing training: It is always helpful to promote greater employee awareness of phishing emails through training programs. It is important to temper expectations when it comes to how effective training can be in stopping all emails. The best phishing emails can fool cybersecurity experts. It is more important to help employees understand the threat and encourage them to report emails that they think look suspicious even if they prove not to be.

Manage and Update Apps and Operating Systems

Many ransomware attacks exploit vulnerabilities in existing software or operating systems. It is important to apply security patches in a timely manner to reduce exposure to these risks. It is also worth performing due diligence into the applications and software that law firms allow into their IT ecosystems. The recent Kaseya ransomware attack exposed anywhere between 800-1500 organizations to a vulnerability in IT management software.

Have a Backup and Disaster Recovery Strategy

Ransomware groups commonly try to exfiltrate data from IT systems before locking those systems down. This practice is known as double extortion, and its aim is to increase the probability of receiving a ransom payment. Due to the sensitive nature of legal data, threat actors believe that they’ll be able to demand a ransom payment in return for not releasing this sensitive data onto the dark web.

The natural response to double extortion is to doubt the usefulness of a backup strategy. After all, if a third party gets their hands on your data, does it matter that you have the data backed up? However, not all ransomware attacks are of this nature and hackers won’t always successfully exfiltrate data.

Backing up sensitive data offline and to multiple storage locations remains a good defense against ransomware attacks. There should also be a disaster recovery strategy that minimizes downtime for IT systems. Ransomware attacks often spread to take over multiple workstations and other IT assets. A disaster recovery strategy can replicate key IT infrastructure and applications to the cloud so that organizations can resume their important legal work using personal laptops while they try to restore on-premises infrastructure.

Closing Thoughts

Organized criminal ransomware groups will continue to target companies operating in the legal sector because where there is sensitive data, there is money to be made. From small legal services companies to large law firms, investments in hardening cyber defenses against ransomware attacks are worth avoiding the costs of a data breach or a loss of access to important documents and applications.

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today.