The number of successful cyber attacks on UK law firms has soared by 77% over the past year, rising from 538 incidents to 954, according to a recent study.
The increase is attributed to the lucrative nature of law firms as targets for cybercriminals, particularly for ransomware attacks and blackmail attempts. Malefactors will often demand a blackmail payment from law firms or threaten to post that sensitive data on the internet. In some instances, bad actors also lock firms out of their data until a ransom is paid
Lubbock Fine partner Mark Turner emphasized the appeal of law firms to cybercriminals, noting that the data they hold is often highly sensitive and valuable. “This makes them a very attractive target,” Turner said.
Astronomical Ransom Demands
A recent survey by Comparitech, claimed that since 2018, “138 legal firms across the globe have publicly confirmed ransomware attacks on their systems, impacting at least 2.9 million records.”
The report said 2023 saw the highest number of attacks (45) with 1.6 million records affected thus far. “The legal sector has faced astronomical ransom demands in recent years,” the report continued. “The average ransom demand following an attack on a legal firm is $2.47 million, but the average ransom paid is lower at $1.65 million.”
This research sheds light on the scale of the problem. The UK ranks second only to the United States in terms of the number of ransomware attacks reported in the legal sector. Other research by Cert-UK revealed that nearly two-thirds 65% of UK law firms have been victims of a cyber event, yet despite this, more than a third (35%) of them still do not have a cyber mitigation plan in place.
Refusing to Pay
Attackers often increase their chances of securing payment by threatening to release solicitors’ clients’ data on the dark web if their demands are not met.
One of the most high-profile incidents involved a New York law firm that refused to pay a $42 million ransom after a gang obtained data on its clients, including former President Donald Trump. In the UK, top 100 firm Ward Hadaway secured a High Court injunction in 2022 against unknown hackers to prevent the release of stolen data, though the effectiveness of such measures against anonymous attackers remains questionable. The report also links a ransomware attack to the collapse of the Ince Group in the same year.
Earlier this year, security consultancy One Brightly Cyber reported a ‘targeted campaign’ against law firms and chambers in London, with a significant spike in activity on May 24. This campaign also highlights the rising threat faced by the legal sector.
According to a report by the National Cyber Security Centre, nearly three-quarters of the UK’s top 100 law firms have been impacted by cyber-attacks. In response to these escalating threats, Turner advises that law firms need to implement stronger cyber defenses than most businesses. “This might include segregating data across different departments, teams, and individual clients,” he suggested.
A Grim Record
“Unfortunately, this is just the tip of the iceberg: a significant number of sophisticated and successful intrusions into law firms remain undetected and thus never reported,” says Dr Ilia Kolochenko, CEO at ImmuniWeb and Partner & Cybersecurity Practice Lead at Platt LLP. “Moreover, when an intrusion is performed by skilled attackers, even detection may be technically impossible due to the unpreparedness of law firms and sophistication of the attacks, let alone investigation as all digital traces will be artfully wiped out.”
Kolochenko says professional cyber mercenaries and organized crime increasingly have law firms of all sizes in their crosshairs to get their hands on the highly valuable clients’ data that legal professionals hold.
“Sometimes, exploitation of compromised data – including but not limited to financial and M&A information, trade secrets, personal lives of celebrities or influential politicians – may bring hundreds of millions of dollars to perpetrators or the mastermind behind the technical evildoers.”
Worst, Kolochenko says with the rapid proliferation of freely available GenAI, lawyers incrementally fall victim to various types of social engineering and phishing attacks, which are not really technical but rather aptly exploit human error.
“These attacks are pretty simple and inexpensive to orchestrate, however, they can bring even better results for criminals compared to advanced hacking campaigns aiming at taking control of law firms’ networks and servers. 2024 will certainly hit another grim record of breached law firms.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.