The legal profession has not escaped the insidious onslaught of ransomware attacks that propagate as if a digital pandemic. I have researched nearly 1,200 ransomware attacks, of which over 40 occurred within the legal profession. I say directly, as many hundreds of other law firms and court systems were indirectly affected when their managed service providers (MSP) such as TrialWorks (October 2019) and Epiq Global (March 2020) were attacked. The aftermath of these attacks ranged from lost access to critical trial data, trial postponements, and requests for delays in various court proceedings. Suddenly losing access to case management and e-Discovery systems can be catastrophic.

Everyone Is Fair Game

Ransomware victims include law firms, courts, and legal service providers. Of the 42 legal profession organizations affected by ransomware, law firms are at the top of the list.

Size does not insulate an organization from the havoc a ransomware attack can inflict. Firms as large as $2.5 billion DLA Piper or a single attorney practice have experienced the effects of a ransomware attack. My research shows the average number of lawyers employed by law firms affected by ransomware is 180. The figure below shows how I classified the size of a law firms attacked by ransomware.

Ransomware operators view small law firms as having little to no security and in my experience, they would be correct.

To Pay or Not To Pay, That Is the Question

Ransomware is big business, with $45,337,368 in ransomware demands made of legal firms. This total number is skewed considering the recent ransom demand of $42 million made of the law firm to the stars, Grubman Shire Meiselas & Sacks. I fear the size of this one ransom demand will set the market for future demands and increase the number of attacks against law firms as ransomware operators seek large payouts. The average ransomware demand is currently standing at $1,054.368.

The legal profession is tight-lipped about ransom payouts. However, I learned 45% of organizations paid the ransom. This compares to approximately 12% of organizations who pay in other industries. I believe the higher rate of ransom payments in the legal profession is likely due to the lack of preparedness of legal organizations to defend against an attack.

Insurance as a Strategy?

Law firms that carry cyber insurance may not always be able to count on their policy to bail them out as one Rhode Island law firm found out in 2017. Moses Afonso Ryan, a Rhode Island litigation firm, made a claim to recover $700,000 in lost billable hours when ransomware locked their computer systems. The insurer denied the full claim stating only $20,000 was recoverable under the terms of the policy. The ultimate ruling the U.S. District Court for the District of Rhode Island would make in Moses Afonso Ryan LTD v. Sentinel Insurance Company could have a wide-reaching impact on the cyber insurance industry.

Terrible Tuesdays

Nearly 21% of legal industry ransomware attacks occur on Tuesday's whereas the most active day for ransomware attacks for all other industries is Friday at 22%.

I cannot really account for this difference except to say that it is likely a statistical anomaly based on the dataset size.

Digital Quakes

Just as a single ransomware attack on an MSP can have a crippling ripple effect on multiple organizations so can an attack on an Office of the Courts. Take for instance the 2019 case when over 50 municipal courts dependent on the Georgia Administrative Office of the Courts (AOC) computer systems for case management were forced to resort to paper records causing cases to be postponed and some to even be dismissed. You need to ask yourself how depended you are on someone else's computer systems?

Abandon All Hope?

Never give up hope, as there is much that you can do. Here are the most essential actions to take to protect your organization from the effects of a ransomware attack:

• Create a Contingency Plan—Assume your cloud case management or e-discovery service provider or software is unavailable, plan to operate with paper documents and manual processes to handle time sensitive cases.
• Train Users to Avoid Becoming a Victim of a Phishing Attack—Train staff how to avoid falling for a targeted phishing attack through the use of phishing simulation software such as those offered by KnowBe4 and EC-Council. Email is the top threat vector for ransomware attacks.
• Backup Critical Data—Ensure all essential data is backed up with a strategy where the ransomware cannot also encrypt backup data. Follow the rule of 3-2-1 where three copies of your data are kept, data is stored on two separate storage devices and at least one copy of your data is stored off-site.
• Deploy Anti-Malware/Ransomware Software—A comprehensive endpoint protection solution that incorporates malware detection is essential to defending against ransomware attacks.
• Restrict User Privilege—Restrict privilege access to only employees who absolutely require system access. Ransomware attacks begin days before the actual attack, they linger in a system looking for privileged access to exploit their payload.
• Maintain Computer Hygiene—Many ransomware attacks exploit known vulnerabilities that can generally be patched to repel an attack. Disable all unnecessary ports and services as well as keep current with patching.
• Document Ransomware Response Plan—What you do in the minutes following an attack can be the difference in surviving or succumbing to an attack. You will need a step-by-step ransomware response plan.

Tari Schreider is the Author of Cybersecurity Law, Standards and Regulations—2^nd edition, a master instructor of CISO certification courses for EC-Council, a Distinguished Technologist and former Chief Security Architect for Hewlett-Packard Enterprises. Mr. Schreider is board certified in cybersecurity, risk management and business continuity.