Its Open Season on Law Firms for Ransomware & Cyberattacks

Law firms have an ethical responsibility to protect their clients sensitive information, but a recent swell of cyberattacks does not seem to be enough to convince law firms to shore up cybersecurity.

An increasing rash of ransomware attacks on law firms prompted the UKs National Cyber Security Centre to release a threat report last week advising the legal sector that their clients deepest, darkest, most sensitive secrets are in the crosshairs of some of the most prolific ransomware actors on the scene — and its time to get serious about securing legal sector networks.
The timing is apropos; just days ago snack food conglomerate
Mondelez, behind brands like Ritz and Oreo
, said the personal data of 51,000 of its current and former employees was compromised following a
cyberattack on its law firm
Bryan Cave Leighton Paisner. Yet so far, the calls for improved cybersecurity are being met with a collective shrug from legal organizations, and ransomware cyberattackers certainly dont object.
Threat actors targeting the legal sector run the gamut from petty cybercrime thugs with off-the-shelf ransomware tools to nation-state actors backed by China, Iran, North Korea, and Russia, according to the recent
cyber threat report for the UK legal sector
published by the NCSC. It reported that nearly 75% of the UKs top-100 law firms have been affected by cyberattacks.
In addition to possessing personal information about their employees, law firms possess significant amounts of sensitive information concerning their clients, attorney and cybersecurity expert Jonathan Gallo of Woods, Rogers, Vandeventer, Black PLC tells Dark Reading about why cyberattackers are drawn to the legal sector. This can include not only personal information, but other sensitive information such as sensitive corporate information, trade secrets, merger and acquisition information, medical records, and other information.
Besides the sensitive data they hold and the potential damage their exposure might inflict, licensed attorneys have an ethical obligation to protect their client secrets, according to Gallo, which adds personal and professional reputation to the list of potential losses.
Over the first two months of 2023 alone, 10 cyberattacks were launched against
six different law firms
, according to findings from eSentires Threat Response Team.
In addition to Mondelez, Genova Burns LLC, a Newark, NJ law firm,
confirmed it was breached
in April, resulting in the personal information of an unknown number of Uber drivers being compromised. The largest legal partnership in Australia, representing hundreds of clients and government agencies, HWL Elsworth, was also
breached by Russian-backed ALPHV/Blackcat
this spring.
Reputational damage is a big risk, as many law firms are high-profile organizations, Christine Gadsby, vice president of product security at BlackBerry explains to Dark Reading about the legal sector threat landscape. She adds that law firms are a good starting point for follow-on supply chain attacks.
The [Mondelez] incident highlights the need to strengthen the supply chain — these types of attacks are among the most destructive strategies used by cybercriminals today, Gadsby says. These organizations may be connected to other targets, such as their partners or clients, making them an attractive entry point for threat actors.
However, in the face of the increasing risk of
ransomware cyberattack
, PriceWaterHouseCoopers Annual Law Firms Survey cited by the UK cybersecurity regulators reported that the top 100 law firms spent less than 1% (just 0.46%) of their fee income on cybersecurity, point out in their advisory to the legal sector.
And a full 64% of IT leaders in the legal sector interviewed by BlackBerry research indicated they are daunted by the amount of work necessary to build their own internal security operations and 80% said a program would be too expensive, Gadsby explains to Dark Reading.
For organizations with a limited budget, cybersecurity starts with identifying the organizations most sensitive crown jewels and working on defending those first, Dan Trauner, senior director of security with Axonius explains.
With that in mind, even if a smaller companys IT/security budget is low, routinely encouraging (and ideally auditing) the same basic cyber-hygiene tips given to consumers — enable MFA, install available software updates, and be politely paranoid in the face of unsolicited communication — will go a long way towards reducing risk even before these items are centrally managed with enterprise tooling, Trauner says.
Drew Schmitt with the GuidePoint Research and Intelligence Team notes that cybersecurity for the legal sector starts with basic information security best practices including patching, endpoint detection and response (EDR), having security information and event management (SIEM) tools in place, in addition to
incident response planning
, and more.
Schmitt agrees that in addition to basic hygiene and
employee training
the focus should be on the firms most sensitive data first.
Having specific measures focused on sensitive data protection is a great step towards being proactive in mitigating risk associated with data exfiltration of sensitive and proprietary data, Schmitt says. Implementing data classification processes and technology focused on securing and preventing unauthorized access and interaction with sensitive data will help reduce the risk of a compromised account being able to exfiltrate data from the environment for extortion and/or sale on the Dark Web.
Experts widely agree that
cyber insurance coverage
is critical for law firms and related organizations. Beyond covering losses, insurance carriers can provide lifelines of expertise in running a cyber incident response.
Firms who have not already done so should seriously consider obtaining cyber insurance, Gallo says. Often, cyber insurance policies provide resources such as cyber-breach lawyers and incident response teams for the insured as part of the policy.
As soon as an incident is detected, the first call should be to a cyber insurance carrier, Gallo adds.
As part of the firms overall breach response plan, the firm should identify in advance what resources it will utilize and who it will contact in the event of a breach, e.g. insurance carrier, cyber breach lawyers, incident response, communications/public relations firm, etc., Gallo says. By lining up these resources in advance and having a plan in the event of a breach, a firm will be in a better position to respond more quickly and efficiently.
Critically, Gallo advises having an incident response in place will help the incident response team remain calm.
Above all, try not to panic! Gallo recommends.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Its Open Season on Law Firms for Ransomware & Cyberattacks