Law Firms: Latest Targets for Ransomware and Cyberattacks

An increasing number of ransomware attacks on law firms prompted the United Kingdom’s National Cyber Security Centre to issue a threat report warning the legal sector that their clients’ most sensitive information is in the crosshairs of some of the most prolific ransomware actors on the scene. It’s time to become more serious about protecting their legal sector networks. Mondelez, snack food conglomerate behind the brands Ritz and Oreo, announced that the personal information of 51,000 of its current and former workers had been exposed resulting from a cyberattack on its law firm Bryan Cave Leighton Paisner. Legal companies are collectively shrugging off calls for improving cybersecurity, and ransomware threat operators are surely not objecting. According to the NCSC’s recent cyber threat report for the United Kingdom’s legal industry, threat actors targeting the legal sector range from petty cybercriminals using off-the-shelf-ransomware tools to nation-state threat actors backed by China, Iran, North Korea, and Russia. The report states that threat operators have hit over 75% of the United Kingdom’s top 100 law firms. Law firms have large amounts of sensitive information about their clients in addition to possessing personal information about their employees. Threat actors are drawn to the legal sector because of personal information and other sensitive information, including corporate information, trade secrets, merger and acquisition information, medical records, and other information. Along with the sensitive data licensed attorneys hold and the potential damage their exposure may cause, they have an ethical obligation to protect their clients’ secrets, which includes a personal and professional reputation to the list of potential losses.

Ransomware Attacks on Law Firms

According to information from a threat response team, ten cyberattacks were launched against six law firms in the first two months of 2023 alone. Along with Mondelez, a Newark, New Jersey law firm, Genova Burns LLC, confirmed a data breach in April that affected the personal information of an unknown number of Uber drivers. HWL Elsworth, Australia’s most prominent law partnership, which represents hundreds of clients and government agencies, was also breached by Russian-backed ALPHV/Blackcat. Reputational damage is a considerable risk, as numerous law firms are high-profile companies and are a good starting point for subsequent supply chain attacks. The Mondelez incident indicates the need to strengthen the supply chain, as this type of attack is among the most destructive tactics cybercriminals use. Because the companies may be linked to other targets, including their partners or clients, they’re an appealing entry point for threat actors. With the growing threat of ransomware cyberattacks, PricewaterhouseCoopers Annual Law Firms Survey mentioned by United Kingdom cybersecurity regulators revealed that the top 100 law firms spent less than 1% of their fee income on cybersecurity, as they point out in their advisory to the legal sector. 64% of IT leaders in the legal industry are intimidated by the amount of labor required to develop their internal security operations, and 80% believe a program would be too expensive.

For law firms with limited resources, cybersecurity begins by identifying companies’ most important “crown jewels” and focusing on securing those first. Even though smaller companies’ IT/security budget is low, encouraging and auditing the same essential cyber-hygiene tips given to clients regularly, including MFA, installing available software updates, and being paranoid in the face of unsolicited communication, can go a long way in reducing risk even before the items are centrally managed with enterprise tooling. In addition to basic hygiene and employee training, companies’ most sensitive data needs to be prioritized. Implementing specific measures that focus on diplomatic data protection is a massive step in proactively mitigating risks associated with data exfiltration of sensitive and proprietary data. Law firms that implement data classification processes and technology that focuses on securing and preventing unauthorized access to and interacting with sensitive data will help reduce the risk of compromised accounts being able to exfiltrate data from environments for extortion and sold on the Dark Web.

Experts generally believe cyber insurance is crucial for law firms and related companies. Insurance providers can give lifelines of knowledge in executing a cyber incident response and covering losses. Law firms that have not yet obtained cyber insurance should seriously consider doing so. As part of the policy numerous cyber insurance policies include resources, including cyber-breach lawyers and incident response teams for the insured. When an incident is detected, the first call should be to a cyber insurance company. Law firms need to identify what resources they will use and who they will contact in case of a breach, including insurance carriers, cyber breach lawyers, incident response, and communication/public relations, as part of their overall breach response plan. Having resources in advance and a plan in place in case of a breach will allow law firms to respond more quickly and efficiently. Having an incident response plan in place will assist the incident response team in remaining calm.

With more ransomware groups and cyber threat operators targeting high-profile law firms in the hopes of stealing sensitive data, it’s always important to remain alert to the latest threat landscape and have an incident response plan implemented. At SpearTip, our IR planning engages a three-phase approach, which includes pre-incident, active incident, and post-incident planning processes. In the pre-incident aspect, SpearTip will identify key stakeholders and decision-makers, critical data, and potential access points and then engage in a live test, after which we offer remediation guidance. To benefit your team during an incident, we assist in developing a communications plan designed to quickly detect and isolate the precise threat with a customized strategy map. The post-incident planning process development includes root cause and investigative audit, improvement analysis, and backup recovery. Our certified engineers continuously work at our 24/7/365 Security Operations Center, monitoring law firms’ data networks for potential ransomware and other cyberattacks. Our IT remediation team focuses on restoring law firms’ operations, isolating ransomware to reclaim their networks, and recovering their business-critical assets.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.