Skip to main content

Ransomware Hits Law Firms Hard—And It’s Worse Than Ever Before

March 5, 2020  |  5 min read

Ransomware

If you follow legal industry news, then you’ve probably read about at least a few ransomware attacks. Customers locked out of projects, lawyers shut out of their system, employees warned not to turn on wifi when approaching their office—ransomware attacks can get ugly quickly. Even large firms and respected vendors can fall victim.

But the “traditional” cyberattack seems relatively mild compared to a new wave of ransomware attacks hitting law firms, attacks where law firm data isn’t just encrypted and held for ransom, but where it’s released to the public when the ransom isn’t paid.

New Wave of Ransomware Attacks Hits Law Firms

This latest evolution of ransomware attacks is being driven by a new form of ransomware known as Maze. A typical Maze attack works similarly to a normal ransomware attack: The victim’s network is infiltrated and its information encrypted or otherwise seized. That’s, unfortunately, not unusual. But it’s in what comes next that Maze breaks with past practices.

In the most typical ransomware fact pattern, after encryption is complete, a ransom is then demanded, often via Bitcoin payment, in order to obtain a decryption key. It’s that kind of attack that shuttered DLA Piper for days in 2017.

But with Maze, that data isn’t just encrypted, it’s exfiltrated first—stolen. And while cyber ransoms have often handled (and paid) in the darker allies of the internet and often without public knowledge, hacking groups using Maze conduct their crimes in broad daylight. Victims are listed publicly on Maze’s website. The hackers then demand two ransoms, totaling between $1-2 million: one ransom to get their data back, another to have it destroyed.

If victims don’t pay up, their data is slowly made available to the public.

It’s the cyber equivalent of a severed finger delivered to your doorstep.

Maze’s public website, according to Krebs on Security, includes the date of the infiltration, the total volume of data stolen, and the IP addresses and machine names of the servers accessed. The site reads [sic]:

“Represented here companies dont wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”

So far, at least five law firms in three states have been victims of the attack, according to reports by SCMedia. And at least one of those law firms appears to have paid to be delisted, Law.com reports, only to have its internal data subsequently released to the public. The leaked information was highly sensitive, according to the electronic evidence and information security blog Ride the Lightning:

“The data includes pain diaries from personal injury cases, fee agreements, and HIPPA consent forms among other documents.”

The identity of the hackers behind Maze attacks is largely a mystery, though the French government has suggested that the group is connected to a hacker group that had previously attacked the German government and U.S. tax professionals.

These most recent attacks don’t seem to be targeted at law firms exclusively, but the release of law firm data can be particularly devastating, given the sensitivity of data in law firms’ possession.

Indeed, it is the sensitivity of law firm data that makes them, along with financial institutions and healthcare providers, such a valuable target to hackers. Nowhere is that sensitive data more concentrated than during the discovery process, where sensitive information—the stuff worth suing over—is all gathered in one place. And far too often that place is an on-prem system that is horribly out of date, with limited resources devoted to protecting them from intrusion.

It’s no wonder then, that experts identify discovery repositories as particularly enticing, and vulnerable, targets for hackers. “The reality is this is already happening,” according to Lael Andara, litigation partner at Ropers Majeski. “We just haven't necessarily identified the hacks.”

And it’s no wonder, either, that security-minded legal professionals are taking a harder look at their discovery processes, limiting the amount of data that leaves their control, and opting for encrypted, highly-secure, closed-loop systems for their most sensitive documents.

How Maze Differs From Past Attacks

The Maze attacks mark a particularly troubling evolution in ransomware attacks. In the past, such attacks were largely a private affair. Data was held hostage through encryption, locally on your machines, and a ransom demanded for its decryption.

If you paid the ransom, there was a chance (but no guarantee) that your information could be recovered.

If you followed the advice of organizations like the FBI and refused to pay, you could rely on backups to restore your information without, hopefully, crippling disruption—or public knowledge. For, despite a growing number of data breach disclosure laws, it’s estimated that only a small percentage of law firm data breaches are ever reported.

The Maze attack changes that equation. By not just encrypting data, but exfiltrating it and threatening to expose it to the public, the hackers can gain even further leverage over their victims—particularly if their victims deal with sensitive information.

Maze hackers seem to be particularly strategic in their attacks as well. Infiltration strategies include impersonating government agencies and security vendors, for example.

Even when a ransom is paid, there is no guarantee that your data will be safe. As Brett Callow, a threat analyst at the cybersecurity company Emsisoft notes:

“Organizations that have data stolen have no good options available to them. Threat actors will promise to destroy data if ransoms are paid – but why would a criminal enterprise destroy data that it may be able to further monetize? The answer is that they probably will not.”

Every instance of cybercrime may leave you saying “there but for the grace of God go I,” but there are steps that can be taken to reduce your risks of becoming a victim of ransomware. As the FBI notes, “proactive prevention is the best defense.” That includes staying on top the latest threats and training your employees

Email scanning, firewalls, anti-virus programs, and following the “principle of least privilege”—that is, granting access to data or administrative tools to only those who have an absolute need for it—can all help protect against cyberattacks and reduce their impact, should they arise. Additionally, using tools that have robust security controls, such as data encryption in transit and at rest, and cloud-based software which is kept constantly up-to-date, can go a long way to protecting your information, and your clients.

For legal professionals, it’s no longer acceptable to wait for a problem to arise before addressing it. When it comes to cybersecurity, a proactive approach is the only way to stay secure.

Yet too many of us still rely on past practices and past tools that are disasters waiting to happen. Unsecured email, weak or nonexistent access control policies, a susceptibility to phishing attacks, on-prem hardware and software that is rarely updated—all of these practices are commonplace, and all help increase the odds that, when the hackers come, you won’t be able to keep them out.