Law firms and ransomware: a unique danger

A novel threat with disastrous consequences

Jötnar Systems, Alister Brenton

A notorious ransomware group known as "Maze" has recently made industry headlines after attacking three law firms in the United States within 72 hours. It is expected that these attacks will continue in the days and weeks ahead, and not necessarily limited to the US.

A new development

While ransomware attacks in the past have primarily focused on simply encrypting data, thus disrupting the victim's ability to continue doing business, the Maze attacks have been so far unique in that they leverage the use of exfiltrated data in order to apply added pressure to victims to pay up.

Maze initially names its victims on their website and, if that doesn't work, they publish a small excerpt of the stolen data online. This is designed to serve as proof that they possess the data and, according to threat analysis firm Emsisoft, is "the equivalent of a kidnapper sending a pinky finger [in the mail]".

Should the victim still fail to pay the ransom, Maze will dump the remainder of the stolen data on their website.

A disaster waiting to happen

It goes without saying that to the legal firm, this kind of data theft can constitute a waking nightmare. According to a study by Crowe, KYND, and the University of Portsmouth’s Centre for Counter Fraud Studies, over 90 percent of analysed law firms were exposed to some form of cybersecurity risk. Combined with the latest ransomware threats seeming to be specifically targeted at law firms, along with data theft being specifically used as a means of extortion, this creates a situation with potentially wide-reaching and devastating consequences.

Under the GDPR and domestic data protection laws, malicious attacks that involve data theft are considered to be the most serious type of data breach, and are treated very differently from run-of-the-mill malware infections. Organizations affected by these types of breaches are required to notify regulators within 72 hours of the breach occurring and, if the data is sensitive or likely to cause damage to the data subject, the subject themselves must also be notified within the same timeframe. To a law firm, data is almost guaranteed to fall under this category and therefore the potential damage to reputation cannot be overstated.

How to stay protected - five simple steps

1. Be extremely careful when handling emails.

The Maze ransomware (and indeed most other forms of malware) are understood to be primarily spread by malicious email attachments.

2. Train staff to exercise caution.

Employees across all levels of your firm should be trained to think before they click. Links and attachments in incoming emails should always be checked to ensure they are legitimate; and if in doubt, should be verified with the sender using a non-email method of communication.

3. Be careful of urgent language. 

Most phishing attacks rely on persuading the victim to click on a link in an email or open an attachment, and the best way to do this is to instill a sense of urgency in the recipient - to try and get them to click before they have time to stop and think. Staff should instead be extra careful of emails that employ unduly pushy or urgent language.

4. Verify the sender's address.

Criminals often use domain name and display name spoofing to disguise the true address of the sender. Always take the time to check that the display name matches the expected "From" address - for example, that the email comes from "someone@example.com" instead of "example.com@yahoo.com" or similar. Technical solutions like SPF and DKIM should also be employed for added security of incoming emails.

5. Employ a suitable security system.

There are many endpoint security systems on the market today, ranging from free "DIY" tools to fully managed commercial solutions. A good endpoint security solution will be smooth and unintrusive during day-to-day work, but act to keep your users and computers protected from malicious websites and email viruses. The more advanced systems also come with built-in security alerting and the ability for a dedicated service provider to monitor your entire network remotely and keep your systems up to date.

Over 90% of UK law firms are vulnerable to cybercrime.

Help us keep you in the 10% - contact us today at protect@jotnarsystems.com