Use this button to switch between dark and light mode.

Ransomware: A Threat to Law Firms Big and Small

December 10, 2020

Much of the world began to understand the enormous threat of ransomware attacks in 2017, when the WannaCry attack struck some 200,000 businesses across the globe. That notorious example—in which cybercriminals encrypted victims’ data (emails, documents and other files) and held them for a ransom to be paid in Bitcoin—caused damages measured in the billions. Since then, at least two major law firms have suffered widely reported ransomware attacks.

Despite these high-profile incidents, lawyers at smaller firms may imagine the threat of a ransomware attack to be a remote one. Unfortunately, quite the opposite is true. According to a recent analysis by Tari Schneider, former chief security architect at Hewlett-Packard Enterprise, firms with fewer than 20 lawyers have accounted for more than half of all ransomware attacks on law firms. And if that’s not frightening enough, consider the price of being targeted. Two years ago, the average ransomware demand was $5,000. Today, the average has risen to $200,000, according to Brett Callow, a threat analyst from Emsisoft. And ransomware is just the beginning of the price targeted firms pay.     

Even if ransom demands don’t reach ridiculous monetary heights, they are still high enough to do real damage to firms both in hard dollars and in business interruption costs. 

So the first step for small and midsize firms in defending against a ransomware attack is realizing that, just like the largest global firms, they can become a target. The next two steps are to begin thinking ahead about ways that they can prepare for an attack, and to start planning how they might respond if one does take place.  

Preparedness and Prevention

There are several actions law firms can take to prepare for a ransomware attack, or, better yet, to prevent one in the first place. They include conducting an audit of the firm’s IT security and obtaining a cybersecurity insurance policy, according to Cari Brunelle, a corporate communications advisor who has counseled law firms on their responses to malware attacks, including ransomware incidents.

Beyond that, there are two additional steps for law firms beginning to grapple with ransomware preparedness. The first is identifying key people who will be responsible for handling the response to cyber incidents. “Forming your team is really important,” Brunelle says. At a midsize firm, she says, the group should include at minimum a member of firm leadership, the firm’s general counsel and an IT representative. In most cases, there should also be members of the team from outside the firm, including experts from the firm’s insurer and a forensic specialist that the firm has on call.

Plenty of providers, like CrowdStrike and Mandiant Solutions, are eager to play that role for law firms, and they offer preventive services in addition to reactive ones. These may be the most vital outside partners for small firms, which may only have one internal member on their cyber-response team.

Brunelle also highlights the importance of creating a communications plan. Ransomware attacks will often take out a firm’s phone system, website and email capabilities. Firms in that situation face huge communication challenges, even if they have planned in advance. “It’s like being dropped in the forest with only your personal cellphone,” Brunelle says. Among other things, she advises firms to gather personal phone and email information for all attorneys and staff in order to keep internal communication flowing in an emergency.

Firms should also think about how they will communicate with clients if they lose their email system, Brunelle says. “If your clients can’t get in touch with you, that’s a worst-case scenario.”

Response Planning

Ransomware victims face one obvious question: Should they pay or not? The business of law firms—which involves inflexible court deadlines and extremely sensitive client information—can create enormous pressure to pay the bad actors. But there are strong reasons not to as well. According to 2017 numbers, among ransomware victims that paid up, just 47% received a key that effectively decrypted their data.

In addition, in October, the U.S. Treasury Department discouraged the payment of ransoms, which can run afoul of U.S. sanctions against private or state-sponsored hackers. In its advisory on the subject, the Treasury Department warned that it “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to US jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws.” For those that heed this warning, potential help is available through services like NoMoreRansom.org and ID Ransomware.

Beyond that immediate issue is the matter of what to say about a ransomware attack to clients and the press as the breach gets resolved. It’s a judgment that must be made based on the individual circumstances of each case. “In the beginning, you’re often trying to figure out how much access the bad actors got,” Brunelle says. “Did they download files? Delete them? That will dictate the message. But basic advice I always give is to be transparent. You don’t want clients to find out down the road that you suffered a malware attack and didn’t tell them. Then you’ve lost their trust forever.”

That principle applies equally to multinational firms and solo practices, just like the threat of ransomware itself.