Sharon D. Nelson, John W. Simek 2021-07-24 23:57:38
Small and Midsized Law Firms Slammed by Ransomware
A Warning for Law Firms The first of the quarterly 2021 surveys appeared during April — the news isn’t good for small and midsized law firms. Note these ominous words from Coveware, a highly regarded aggregator of global ransomware and cyber extortion data, which published the Coveware Quarterly Ransomware Report (Q1 2021):
“The most notable change in industries impacted by ransomware attacks in Q1 was the Professional Services industry, specifically law firms. Small and medium sized law firms continue to succumb to encryption ransomware and data exfiltration extortion attacks. Unfortunately, the economics of many small professional service firms do not encourage or enable adequate cyber security.”
Sobering Statistics from the First Quarter of 2021
The average ransom payment was $220,298 (+43 percent from Q4 2020),
The average number of downtime days was 23 (+10 from Q4 2020), And 77 percent of ransomware attacks threatened to leak the stolen data (up from 70 percent in Q4 2020).
A new and disturbing trend in 2021? Attackers are disrupting businesses after an initial attack while the firm is trying to recover—and stealing more data or relaunching ransomware.
Law Firms Should Assume the Worst
The first thing a law firm should assume is that any of its data stolen by attackers will not be destroyed by the cyber criminals— even if a ransom is paid. It may well be traded to others, sold—or even held for a second extortion attempt.
Assume that multiple parties held your data, and that the data was not necessarily secured. Any of those parties may have made copies for prospective extortion in the future.
It is increasingly likely that data will be published, often called “naming and shaming,” before you can even respond to the ransom demand. This puts pressure on the law firm to pay.
Where Does the Danger Come From?
The most common ransomware attack vector is compromised remote desktop protocols, which so many lawyers working from home use to connect to the law firm network.
This is followed by phishing emails, which are getting better and better at fooling your employees. Employee security awareness training should take place annually (more often is better) and running phishing simulations periodically is helpful. Employees simply forget over time, so repetitive training is critical.
Why are Small and Midsize Law Firms So Vulnerable?
As the Coveware report notes, 24.9 percent of ransomware attacks target professional services firms, especially small and midsized law firms.
There are several ways small firms make mistakes. They are hobbled by the modesty of their budgets for cybersecurity. On the flip side, they want to maximize profits and distribute income to the partners at the end of the year. Cybersecurity doesn’t make the cut when distributions are discussed.
Their clients tend to be smaller and may not demand security assessments as larger clients do. Sometimes they get to bask in obscurity because attacks on smaller firms often do not make the headlines.
Most smaller firms do not have an Incident Response Plans (IRPs) and therefore they have a “headless chicken” response to attacks, which they don’t properly handle. Often, they don’t properly attend to remediation of the vulnerabilities that caused the attack. This leads to a second attack.
Don’t Think Paying the Ransom Will Guarantee You Get All Your Data Back!
Sophos, a highly regarded cybersecurity vendor, issued its “The State of Ransomware in 2021” report. Their survey found that only 8 percent of entities get back ALL their data after paying the ransom. Twenty-nine percent of those who paid the ransom got back no more than half their data.
The report notes a worrisome trend. Attackers are moving from automated attacks to highly targeted “hands-on-keyboard” hacking. This is a cause for alarm as the potential damage is much greater from these more complex attacks, with more than double the remediation costs, from approximately $761,00 in 2020 to $1.85 million in 2021.
To add to the merriment, remediation costs are now ten times greater than the average ransom payment.
Final Thoughts
Threats from attackers are morphing constantly. As the threats evolve, so must the defenses. Busy attorneys understandably have trouble keeping up with cybersecurity. But when they can, they should try to stay current through reading reputable blogs and articles and taking cybersecurity CLEs at least once a year — and more is better. Batten down the hatches — we’re in for a bumpy ride for years to come.
Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA. snelson@senseient.com.
John W. Simek is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional, Certified Ethical Hacker, and a nationally known expert in digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax firm. jsimek@senseient.com
©Virginia State Bar. View All Articles.