It's Open Season on Law Firms for Ransomware & Cyberattacks

An increasing rash of ransomware attacks on law firms prompted the UK's National Cyber Security Centre to release a threat report last week advising the legal sector that their clients' deepest, darkest, most sensitive secrets are in the crosshairs of some of the most prolific ransomware actors on the scene — and its time to get serious about securing legal sector networks.

The timing is apropos; just days ago snack food conglomerate Mondelez, behind brands like Ritz and Oreo, said the personal data of 51,000 of its current and former employees was compromised following a cyberattack on its law firm Bryan Cave Leighton Paisner. Yet so far, the calls for improved cybersecurity are being met with a collective shrug from legal organizations, and ransomware cyberattackers certainly don't object.

Threat actors targeting the legal sector run the gamut from petty cybercrime thugs with off-the-shelf ransomware tools to nation-state actors backed by China, Iran, North Korea, and Russia, according to the recent cyber threat report for the UK legal sector published by the NCSC. It reported that nearly 75% of the UK's top-100 law firms have been affected by cyberattacks.

"In addition to possessing personal information about their employees, law firms possess significant amounts of sensitive information concerning their clients," attorney and cybersecurity expert Jonathan Gallo of Woods, Rogers, Vandeventer, Black PLC tells Dark Reading about why cyberattackers are drawn to the legal sector. "This can include not only personal information, but other sensitive information such as sensitive corporate information, trade secrets, merger and acquisition information, medical records, and other information."

Besides the sensitive data they hold and the potential damage their exposure might inflict, licensed attorneys have an ethical obligation to protect their client secrets, according to Gallo, which adds personal and professional reputation to the list of potential losses.

Ransomware Targeting Law Firms Across Globe

Over the first two months of 2023 alone, 10 cyberattacks were launched against six different law firms, according to findings from eSentire's Threat Response Team.

In addition to Mondelez, Genova Burns LLC, a Newark, NJ law firm, confirmed it was breached in April, resulting in the personal information of an unknown number of Uber drivers being compromised. The largest legal partnership in Australia, representing hundreds of clients and government agencies, HWL Elsworth, was also breached by Russian-backed ALPHV/Blackcat this spring.

"Reputational damage is a big risk, as many law firms are high-profile organizations," Christine Gadsby, vice president of product security at BlackBerry explains to Dark Reading about the legal sector threat landscape. She adds that law firms are a good starting point for follow-on supply chain attacks.

"The [Mondelez] incident highlights the need to strengthen the supply chain — these types of attacks are among the most destructive strategies used by cybercriminals today," Gadsby says. "These organizations may be connected to other targets, such as their partners or clients, making them an attractive entry point for threat actors."

However, in the face of the increasing risk of ransomware cyberattack, PriceWaterHouseCoopers Annual Law Firms Survey cited by the UK cybersecurity regulators reported that the top 100 law firms spent less than 1% (just 0.46%) of their fee income on cybersecurity, point out in their advisory to the legal sector.

And a full 64% of IT leaders in the legal sector interviewed by BlackBerry research indicated they are daunted by the amount of work necessary to build their own internal security operations and 80% said a program would be too expensive, Gadsby explains to Dark Reading.

How Do You Secure Law Firm Data From Ransomware Cyberattacks?

For organizations with a limited budget, cybersecurity starts with identifying the organization's most sensitive "crown jewels" and working on defending those first, Dan Trauner, senior director of security with Axonius explains.

"With that in mind, even if a smaller company's IT/security budget is low, routinely encouraging (and ideally auditing) the same basic cyber-hygiene tips given to consumers — enable MFA, install available software updates, and be 'politely paranoid' in the face of unsolicited communication — will go a long way towards reducing risk even before these items are centrally managed with enterprise tooling," Trauner says.

Drew Schmitt with the GuidePoint Research and Intelligence Team notes that cybersecurity for the legal sector starts with basic information security best practices including patching, endpoint detection and response (EDR), having security information and event management (SIEM) tools in place, in addition to incident response planning, and more.

Schmitt agrees that in addition to basic hygiene and employee training the focus should be on the firm's most sensitive data first.

"Having specific measures focused on sensitive data protection is a great step towards being proactive in mitigating risk associated with data exfiltration of sensitive and proprietary data," Schmitt says. "Implementing data classification processes and technology focused on securing and preventing unauthorized access and interaction with sensitive data will help reduce the risk of a compromised account being able to exfiltrate data from the environment for extortion and/or sale on the Dark Web."

Cyber Insurance Should Play a Role in Law Firm Response

Experts widely agree that cyber insurance coverage is critical for law firms and related organizations. Beyond covering losses, insurance carriers can provide lifelines of expertise in running a cyber incident response.

"Firms who have not already done so should seriously consider obtaining cyber insurance," Gallo says. "Often, cyber insurance policies provide resources such as cyber-breach lawyers and incident response teams for the insured as part of the policy."

As soon as an incident is detected, the first call should be to a cyber insurance carrier, Gallo adds.

"As part of the firm's overall breach response plan, the firm should identify in advance what resources it will utilize and who it will contact in the event of a breach, e.g. insurance carrier, cyber breach lawyers, incident response, communications/public relations firm, etc.," Gallo says. "By lining up these resources in advance and having a plan in the event of a breach, a firm will be in a better position to respond more quickly and efficiently."

Critically, Gallo advises having an incident response in place will help the incident response team remain calm.

"Above all, try not to panic!" Gallo recommends.