The legal sector has faced “astronomical ransom demands” from cyber-attackers in recent years, ranging from $30,000 to $21m, according to new research.
It said that, since 2018, 138 law firms globally have publicly confirmed ransomware attacks on their systems, impacting at least 2.9 million records. Most of these were in the US, with the UK the next worst affected.
Last year saw the highest number of attacks (45) and records affected (1.6 million) so far, said Comparitech, a cyber-security research and information website that maintains a worldwide ransomware tracker.
Head of data research Rebecca Moody wrote in her report the legal sector was “an increasingly attractive target for cyber-criminals”.
She explained: “With troves of sensitive data, hackers can shore up their chances of securing payment by threatening to put solicitors’ clients’ data on the dark web if their ransom demands aren’t met.”
Ms Moody said a growing number of ransomware gangs were using “double-extortion tactics” by stealing data and encrypting systems.
“The legal sector has faced astronomical ransom demands in recent years. The average ransom demand following an attack on a legal firm is $2.47m, but the average ransom paid is lower at $1.65m.”
The company’s research uncovered ransoms from $30,000, paid by Parisien law firm Cabinet Remy Le Bonnois in 2021, to $21m demanded of New York firm Grubman Shire Meiselas & Sacks after being hit by REvil ransomware.
This was later upped to $42m when the gang realised that Donald Trump’s data was among that stolen, but the firm refused to pay.
Among the largest ransoms known publicly was the $3m demanded of North-East law firm Ward Hadaway.
“After Lorenz ransomware gang targeted the UK law firm in March 2022, a $3m ransom was demanded. It threatened to post the data online and double the ransom demand to $6m if these demands weren’t met,” said Ms Moody.
“The firm successfully secured an injunction against its attackers preventing them from leaking the data. How successful this was against anonymous hackers, however, is debatable.”
Information about how many firms actually paid ransoms was hard to secure, she said. “Although the legality of paying a ransom is heavily debated, it is often the quickest way for companies to restore their systems and limit the impact of a data breach.
“Preventing companies from paying ransoms may help to ward off hackers to some extent but it is only part of the potential solution.
“For example, the UK’s Cyber Security and Resilience Bill could enforce mandatory reporting of ransomware attacks. Making sure companies are reporting attacks will help raise awareness and knowledge of these attacks and will perhaps reduce the ‘taboo’ that so often surrounds the word ransomware.
“It would also ensure anyone whose data has been impacted in a ransomware attack is aware of this from the offset.”
The five firms that had the most records stolen were all in the US and each then faced class action lawsuits.
The research indicated that spikes in attacks coincided with the end/start of tax years in many countries.
“Legal firms, especially those within the commercial sector, will likely experience higher workloads and tighter deadlines during this time, as well as the pressure of finalising their own budgets.
“Our research suggests ransom payments may also be more likely during these times. Out of the six legal organisations that confirmed paying a ransom, five of them made payments between January and April.”
The research only identified 11 cases where there was confirmed downtime at firms as a result of an attack, ranging from hours to four weeks, with an average of 11 days.
“In some cases, the effects of such downtime can be catastrophic. In March 2022, London-based The Ince Group was hit with a LockBit ransomware attack. The firm spent £5m restoring its systems before it filed for administration in April 2023 after failing to raise enough funds to cover the costs of the cyber attack and other shortfalls.”
Leave a Comment