Did you know the biggest growth in cybercrime in the UK in 2019 was in ransomware, which was up by 195% in the first half of last year?
In fact, the UK was the second most attacked country in the world.
The problem has been around for more than a decade now, with the CryptoLocker attack in 2007 which spread through emails infected with malware and is thought to have attacked more than 500,000 computers.
Criminals used a network of hijacked home PCs to spread the ransomware, and this network was eventually uncovered by law enforcement and internet security professionals.
Some of the more recent ransomware attacks include:
Spread throughout 150 countries in 2017, exploiting a vulnerability in Windows to lock out users and demand a Bitcoin ransom. It affected more than 30% of UK hospital trusts and cost the NHS more than £92 million. Worldwide, it is estimated to have cost $4 billion in financial losses.
Targeted insecure websites in 2017, getting unsuspecting users to click on something which installed malware. In this attack, it was a fake Adobe Flash player.
Claimed to have hijacked users’ webcams and demanded ransoms from people, threatening to make intimate images public. This attack hit in 2018 and became so widespread that it inspired the development of a decryptor by internet security companies.
First used in 2016, it encrypted entire hard drives via a fake job application email. It attacked computers’ master file tables.
This attacked more than 2,000 targets, including banks and prominent Russian oil producers. It even forced Chernobyl nuclear plant workers to check their radiation levels manually. They were locked out of their PCs.
This deleted more and more files as the hours ticked by and a ransom wasn’t paid. It started in 2016.
There are serious implications for any law firm which suffers a ransomware attack.
Under the General Data Protection regulation (GDPR), they must inform the relevant authority of any data breach, which in the UK is the Information Commissioner’s Office and may face investigation. In the case of serious breaches, law firms must also inform the data holders themselves.
For any legal practice, this would be a huge blow to their operations and the reputation of the firm.
Law firms often hold sensitive information about clients, such as financial and medical records, and records of criminal convictions. Data thieves could use the information to blackmail those clients.
It is likely that this data would be deemed ‘special category’ in GDPR, which would necessitate contacting each of the data subjects directly.