Law firms and cybersecurity are terms we coin only when it comes to litigation. However, an increasing number of law firms are falling for ransomware attacks. Their common method of entry: Phishing.
ALPHV ransomware group is the latest to hit the sector, this time targeting US-based law firm BC Attorney. The group claims to have obtained 390 GB of sensitive company data, including employee personal information, financial reports and more.
In a tweet, threat intelligence service Falcon Feeds shared the information and a screenshot of the threat actor’s post on the dark web.
The Cyber Express team has contacted the BC Attorney to verify the cybersecurity incident claimed by the ALPHV ransomware group. However, the company is yet to respond or release an official response addressing the same.
How the attack was executed is still unknown. However, an analysis of the recent ransomware incidents at law firms and cybersecurity concerns that popped up along with it shows that the most common tactic is phishing.
Law firms and cybersecurity: A case of concern
In 2022 alone, over 100 law firms across 17 states in the US reported incidents of cyber-attacks and breaches, according to a recent report by US based IT services company Protected Harbor,
Most of the attacks were primarily carried out by phishing scams or exploiting vulnerabilities associated with email systems,
Phishing also helped attackers execute Wi-Fi network access point breaches, and ransomware deployment on computers and data servers.
According to the report, when it comes to small and medium-sized law firms cybersecurity does not get the attention or investment it deserves, leaving them susceptible to cyber-criminals.
The report lists personal devices, such as mobile phones and laptops as the initial potential attack points, putting law firms and cybersecurity practices under the lens.
Even larger firms with IT departments often need help to keep up with evolving technology and new cyber-attack forms.
Richard Luna, CEO of Protected Harbor, recommended that operations of law firms and cybersecurity concerns can be effectively streamlined with managed IT service providers (MSPs) who stay updated on the latest threats and can design systems with reduced vulnerability.
Having a plan for mitigating cyber threats and investing in cybersecurity, equipment, and software is critical for law firms. Potential clients should ask their attorneys how they protect data when choosing a firm to work with. If they don’t have a good answer, clients should look to another firm,” Luna advised.
The 2023 Law Firm Data Breach Trend Report provides valuable strategies for law firms to understand and implement better law firm cybersecurity measures.
One of the key recommendations is to offer comprehensive training and education to all employees, including partners, on identifying phishing, fraud, and other concerns that involve law firms and cybersecurity.
Additionally, firms should consider regularly upgrading software, implementing spam and virus scanning filters, and maintaining a separate backup system for critical data and client files, noted the report.
Robust procedures for password management, remote connections, and using USB and other data storage devices on firm networks are also crucial for law firms and cybersecurity postures.
Law firm and cybersecurity: The Crimson Kingsnake case
Gaining access to the email service of a law firm also allows threat actors to execute impersonation scams as well as multi-levelled phishing scams.
Last year, the Crimson Kingsnake threat group impersonated well-known international law firms to deceive recipients into approving overdue invoice payments.
The group created a strong foundation for business email compromise (BEC) attacks by pretending to be lawyers sending invoices for services supposedly rendered a year ago.
The emails appeared authentic, complete with logos and letterheads of major multinational law firms, making them more convincing.
According to the FBI’s extensive data covering the period from 2016 to 2019, the reported instances of BEC-induced losses reached an astonishing $43 billion in 2019.
A more recent revelation from the IC3 disclosed that in the year 2021 alone, a total of $2.4 billion was lost to BEC scams, affecting a staggering number of 19,954 entities.
Law firms and cybersecurity: More investment needed
Failure to invest in cybersecurity exposes sensitive client data and jeopardizes the firm’s reputation.
As Warren Buffet famously said, “It takes 20 years to build a reputation and 5 minutes to ruin it.”
The rise of cyber threats and phishing attacks targeting law firms highlights the urgent need for enhanced cybersecurity measures in the legal industry.
Law firms and cybersecurity practices associated with their operations should be proactive and ever-evolving, better engagement with experienced MSPs.
By continuously educating employees, law firms can effectively protect sensitive data, mitigate risks, and maintain their professional reputations in an increasingly digital world.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
