Law Firms (and Client Data) Held Hostage

Posted by

Hackers have successfully hit at least five United States law firms within the past few weeks. Reportedly, the attacks are part of a coordinated effort potentially affecting nearly 200 victims in January alone. As if that were not frightening enough, the threat to law firms and to their clients, has magnified substantially in light of the type of attack now employed against law firms.

Rather than delivering a ransom note to the infected system and waiting for payment, the recent hackers are publishing the victim’s name on a public website. If the victim does not pay, the hackers post a small amount of stolen data–client data–online as proof. Still won’t pay? Then the hackers slowly publish the client’s remaining data. The hackers are leveraging the target law firm’s obligation to maintain client data and to make the impossible decision of paying the ransom or publicly expose a client’s information.

Reportedly, the hackers used Maze ransomware. The FBI warned of Maze in December 2019, and called for vigilance to combat this particular attack which began hitting the US in November 2019. According to the FBI, Maze used multiple methods for intrusion, including spam communications that impersonate government agencies and others. Of course, Maze is just one of different strains of ransomware emerging of late.

Importantly, hackers cannot achieve their goal without access to your network. Ransomware can be delivered in PDF, ZIP, Word, Excel and other formats. Opening a malicious attachment may deploy the ransomware immediately or in the future. We don’t yet know the exact nature of these attacks, but it is generally understood that the vulnerability is the point of access and therefore the need to take precautions to shore up phishing security.

To that end, here is some expert risk management tips for law firms:

  • Exercise extreme caution when using email given the suspicion that the hackers are utilizing malicious e-mail attachments
  • Train staff to be cautious and to “think before they click.” If unsure, verify the sender by telephone.
  • Avoid enabling macros, an effective way to automate common tasks but also a common tool to deliver ransomware
  • Be wary of urgent language
  • Verify the sender’s address to ensure that the display name matches the mailto address.