Ransomware Law Firm

Law Firm Ransomware Attacks

Your law practice has a mound of highly sensitive material, which includes everything from client tax filings to corporate trade secrets. This puts you at risk of becoming a prime target for ransomware attackers, who are becoming more aggressive by the day—and the scenario is more likely than you might imagine. According to the results of our recent poll, a full third of law firms have been targeted in the last year.

In this study, we’ll provide the findings of our recent law firm security survey, which will help you understand why the ransomware threat is expanding at such a rapid pace, as well as ideas for reducing the risk to your company.


What is ransomware and how does it work?

In the case of ransomware, the data is encrypted and access to it is denied until the ransom is paid in full. Ransom payments are nearly often made in the form of cryptocurrencies, such as Bitcoin and Monero, which are decentralized digital currencies. Ransomware encrypts data by encrypting them using symmetric and asymmetric keys that are produced at random. Following the payment of the ransom, the victim is sent an asymmetric key, which may (hopefully) be used to decrypt their files after the ransom is paid.

Ransomware targeting law firms is a serious and growing concern.

When the threat of modern ransomware was equated to the threat of international terrorism on June 4, the Biden administration encouraged all businesses to treat the threat with greater seriousness than they had previously done so. This came after an attack on the Colonial Pipeline in May, which resulted in gas shortages along the East Coast, and a subsequent attack on JBS, the world’s largest beef producer, in June of this year.

Although ransomware has been known since the late 1980s, you may not have heard of it until the WannaCry assaults in 2017 thrust the scheme into the international spotlight. A few days after the initial WannaCry attacks began, hundreds of thousands more were launched across more than 150 nations, bringing everything from the United Kingdom’s National Health Service to Spain’s largest telecommunications provider, Telefónica, down.


The search volume for the phrase ransomware is depicted in this graph.

Data from Google Trends for the search phrase “ransomware” over eight years. WannaCry has seen a significant increase in activity in 2017, with the most recent uptick beginning with the Colonial Pipeline attack in May. (Source)

However, in 2017, a severe—yet lesser-known—ransomware outbreak is known as NotPetya infected computers around the world, causing more than $1.2 billion in losses. In comparison to WannaCry, NotPetya was a considerably more sophisticated threat, causing widespread disruption at big corporations, including DLA Piper, one of the world’s top three legal firms.

For more than a week, DLA Piper’s network was down, preventing attorneys from accessing client data, email, and even phone systems, according to the company. In the end, the attack cost DLA Piper an estimated $300 million and necessitated many months of remediation before the firm was able to resume normal operations.

If DLA Piper is unable to prevent a ransomware assault, what hope do you have that a small and medium business like yours will have?

According to the legal firms that responded to our study, not so much.

In the last 12 months, one out of every three law firms has been targeted by ransomware.

As a result of our investigation, we have discovered that 58 percent of small and midsize legal firms have been victims of ransomware. Furthermore, our data reveal that one in every three people (33 percent) has been the victim of a cyberattack in the last year alone.

The number of law firms that have been targeted by ransomware is depicted in this graph.

Newer human-operated ransomware versions such as Ryuk and Ravil, in contrast to widely distributed ransomware outbreaks such as WannaCry and NotPetya, are increasingly targeting specific businesses and government agencies for the attack. These organizations use ransomware-as-a-service models, which allow affiliates to execute attacks in exchange for a portion of the earnings.

Therefore, we have witnessed a significant increase in highly targeted ransomware attacks targeting organizations that are known to hold critical and time-sensitive data, such as hospitals and law firms. Ransomware gangs are fully aware that major firms have a low tolerance for downtime and are therefore highly motivated to restore operations as quickly as feasible.

However, things grow worse. Recently, two-pronged ransomware attacks have been discovered that lock your data while also threatening to post a copy of the stolen information on a public website, applying even more pressure if the ransom isn’t paid—using the possibility of a potential data breach to increase the pressure.

As a result of highly targeted attacks, enormous ransom demands are being demanded. The Colonial Pipeline attack netted roughly $5 million for a ransomware group known as DarkSide (a REvil affiliate), while the JBS attack netted a whopping $11 million for the attackers. Even those numbers, however, pale in contrast to the staggering $40 million ransom payment made by insurance firm CNA Financial in March, following a weeks-long ransomware attack on the company.

What steps should law firms take in the event of a ransomware attack?

According to our study results, a whopping 69 percent of legal firms are willing to pay the ransom. Firms that pay a ransom can restore access to their data in approximately two out of every three cases (65 percent). However, this also means that 35 percent of businesses pay a ransom and receive nothing in return.

The following diagram depicts how law firms respond to a ransomware assault.

Of the legal firms that refused to pay the ransom, 57 percent were successful in decrypting or otherwise removing the malware from their computers. Another 32% of businesses that did not pay the ransom were able to recover from the attack by deploying a data backup, which is a critical approach for avoiding total data loss, which is the worst-case scenario in a ransomware attack.

If you discover that your company has been a victim of ransomware, contact your local FBI field office and file a report with the Internet Crime Complaint Center (IC3).

You can also turn to free services such as ID Ransomware and the No More Ransomware Project for assistance in determining what type of virus you’re dealing with and in locating a decryption key that may allow you to remove the ransomware without having to pay a fee to the attacker.

To fall back on if everything else fails, all legal companies should have a robust data backup and restoration strategy. If your company does not have one, make sure to review Capterra’s data backup software shortlist to pick the tool that is most appropriate for your needs.


5 suggestions for safeguarding your law practice from a ransomware attack

Some ransomware strains capture network credentials, whereas others infiltrate your network through unprotected ports or remote devices, according to security experts. However, the majority of ransomware infections are the result of insufficient network security, phishing schemes, and poor employee cybersecurity hygiene. Listed below are a few measures you can take to reduce the risk of a ransomware attack on your company.

Improve your security posture as a first step.

An assessment of your company’s cybersecurity risks can help you obtain a comprehensive picture of your company’s information assets and discover security weaknesses that could put them in danger. To detect and address network vulnerabilities, some businesses prefer to take it a step further and employ penetration testing (also known as controlled hacking).

In our poll, 83 percent of the companies said that they had completed a security evaluation of their digital systems at some point in the past—although just 39 percent reported that they had done so in the previous year. Because of the changing nature of cyber threats, it is necessary to conduct security assessments every year.

If you want to increase security but aren’t sure where to begin, one option is to use the ISO/IEC 270001 framework to establish a baseline for your company, regardless of whether or not you choose to pursue certification. As a result of adopting the ISO/IEC 270001 standards, your company will be able to discover security flaws, as well as build the policies and procedures necessary to protect itself against cybersecurity attacks.

Second, make certain that all software is up to date.

The WannaCry and NotPetya attacks took advantage of the EternalBlue exploit to infect Windows devices that had not yet been patched against the threat of cyberattack. Unfortunately, Microsoft had made the fix available months before the first WannaCry assaults, and any firm that had correctly updated their systems would have been able to avoid infection with relative ease had they done so.

Essentially, the lesson here is to make sure that all of your software is always up to date and functioning properly. Enable automatic updates on software that provides them, and check for updates on software that does not provide them regularly. Keep in mind that your software may eventually reach an end-of-life state, at which point it will no longer be supported by the company or receive updates. It may be necessary to upgrade to new software or to replace your unsupported devices in some scenarios.

Utilize strong passwords and authentication methods as part of your security strategy.

Make use of difficult passwords or passphrases that contain at least 12 characters (which should always include numbers, capital letters, lowercase letters, and special characters), and make sure to use a different password for every account you have. Many businesses use password management software to make this process easier. This software automatically generates strong passwords and stores them in a secure location.

However, passwords are not sufficient in and of themselves. Double-check that two-factor authentication (2FA) is configured for all of your corporate applications (i.e., require secondary security measures such as a code sent to your mobile phone). Most hackers employ a variety of tactics to infiltrate networks, take over accounts, and ultimately install ransomware. This is the single most effective method of preventing most of these approaches.

Unfortunately, only 54 percent of the companies surveyed employ two-factor authentication across all business apps. This figure is considered too low, and it implies that nearly half of all legal firms are erroneously relying solely on passwords to protect their client information. Consider the fact that the Colonial Pipeline assault was perpetrated by one compromised password for a commercial VPN login account that did not have two-factor authentication enabled.

Protect yourself against phishing scams (number four).

Phishing tactics continue to be the most common vector of attack for ransomware assaults. According to the FBI, the DLA Piper ransomware attack was traced back to the firm’s  location, when an administrator clicked on a link contained within a phishing email.

Everyone on the legal team needs to be aware of sophisticated phishing techniques that target specific employees and trick them into opening a harmful link, downloading a malware-laden attachment, or entering their credentials into a phony website. Conduct phishing tests to evaluate whether or not your employees are vulnerable to social engineering strategies and phishing attacks.

According to our data, 52 percent of law firms use email as their major form of internal communication… This means that safeguarding yourself from email attacks should be one of your highest responsibilities. You can browse through our email security catalog to locate the right technology for your company.

Tip #5: Provide frequent security awareness training to employees.

The most important step in preventing all forms of cybersecurity attacks is to educate people about cybersecurity. According to the results of our poll, 75 percent of small and midsize businesses regularly conduct security awareness training.

And while three out of four isn’t too shabby, a closer look reveals that tiny businesses are significantly behind their midsize counterparts. Comparatively, only 65 percent of small businesses provide regular security awareness training, compared to 84 percent of medium-sized businesses. Furthermore, an alarming one in every ten small businesses claims that they never conduct security awareness training.