Meet the Hacker Groups Snatching Law Firms' Client Data
These ransomware and hacking groups are hitting law firms where it really hurts: client data backups.
May 21, 2020 at 10:15 AM
4 minute read
In nearly six months, at least seven law firms have been infiltrated by ransomware, according to media reports. Of the attacks, hacker groups Maze and REvil have taken responsibility for them all.
Both groups are well-known, said Mark Sangster, vice president and industry security strategist of cybersecurity firm eSentire. And unfortunately for legal, Sangster added, "it seems they lately have turned their focus upon law firms."
Sangster noted Maze and REvil represent an "evolution" from the "old attacks" law firms faced. Previously, cyberattacks were usually directed at one lawyer that took down access to their laptop. While it wasn't ideal, it just took one lawyer out of commission while IT backed up their laptop.
Now, however, hackers have adjusted their strategies, by infiltrating original files and backups through remote access "backdoors" and hijacking administrative controls.
"What they've done is removed the defense that these law firms have built, and the law firms are back to having very little choice. They can pay the ransom or go through the very laborious task of rebuilding [their files]," Sangster explained.
Below is a rundown of the hacking groups and their ransomware, and a look at how they've become a nightmare for U.S. and international law firms.
|Maze
In February alone, Maze reportedly held, and in one instance published, five law firms' client data.
Maze placed the firms on a list, promising to expose the firms' data if its ransom demands weren't met. By February, Law.com reported Maze released a trove of data from Texas-based Baker Wotring, which included pain diaries from personal injury cases, Health Insurance Portability and Accountability Act (HIPAA) consent forms, and more.
At the time, Emsisoft security analyst Brett Callow told The American Lawyer that Maze's tactics were unusual because while most hackers threaten to block data access if their ransom isn't paid, this group was offering samples of the private data as proof.
While February's attacks showed just how at risk that law firms are, many can take solace that they can mitigate such risk by encrypting data, noted Dykema Gossett member Sean Griffin.
"As much of your info should be encrypted as much as you can," he said. "It's a lot better for the firm. If it's unencrypted the hacker gets a bunch of confidential information they can disclose." Griffin also noted a state's data breach notification requirement usually won't apply for breached encrypted data, which also avoids steep notification costs.
|REvil
Hacking group REvil grabbed headlines in legal and general news media when it announced it obtained the client files of New York City-based entertainment firm Grubman Shire Meiselas & Sacks.
The hackers threatened to release hundreds of gigabytes of legal documents, including contracts, phone numbers, email addresses, personal communication, nondisclosure agreements and other information, according to reports. REvil wanted $21 million to not expose the business dealings of U2, Bruce Springsteen, Madonna, Nicki Minaj and many others.
While every law firm can't claim Lady Gaga as a client, every firm is still an attractive target to hackers, Sangster noted.
"This shows for law firms, no matter the practice you have—this isn't just being a supplier to a bank—you could be practicing family law or in this case entertainment law and it makes you a lucrative target," he said.
Indeed, Big Law and firms with high-profile clients aren't hackers' only targets. Notably, the week REvil announced it hacked Grubman Shire, Legal IT Insider reported REvil posted a screenshot of 11-lawyer firm Patten & Prentice's internal folder structure.
Ken Caldwell, managing partner of the Scotland-based firm, told Legal IT Insider the firm was aware of the situation and was "taking appropriate action with our security experts."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250