In nearly six months, at least seven law firms have been infiltrated by ransomware, according to media reports. Of the attacks, hacker groups Maze and REvil have taken responsibility for them all.

Both groups are well-known, said Mark Sangster, vice president and industry security strategist of cybersecurity firm eSentire. And unfortunately for legal, Sangster added, "it seems they lately have turned their focus upon law firms."

Sangster noted Maze and REvil represent an "evolution" from the "old attacks" law firms faced. Previously, cyberattacks were usually directed at one lawyer that took down access to their laptop. While it wasn't ideal, it just took one lawyer out of commission while IT backed up their laptop.

Now, however, hackers have adjusted their strategies, by infiltrating original files and backups through remote access "backdoors" and hijacking administrative controls.

"What they've done is removed the defense that these law firms have built, and the law firms are back to having very little choice. They can pay the ransom or go through the very laborious task of rebuilding [their files]," Sangster explained.

Below is a rundown of the hacking groups and their ransomware, and a look at how they've become a nightmare for U.S. and international law firms.

|

Maze

In February alone, Maze reportedly held, and in one instance published, five law firms' client data.

Maze placed the firms on a list, promising to expose the firms' data if its ransom demands weren't met. By February, Law.com reported Maze released a trove of data from Texas-based Baker Wotring, which included pain diaries from personal injury cases, Health Insurance Portability and Accountability Act (HIPAA) consent forms, and more.

At the time, Emsisoft security analyst Brett Callow told The American Lawyer that Maze's tactics were unusual because while most hackers threaten to block data access if their ransom isn't paid, this group was offering samples of the private data as proof.

While February's attacks showed just how at risk that law firms are, many can take solace that they can mitigate such risk by encrypting data, noted Dykema Gossett member Sean Griffin.

"As much of your info should be encrypted as much as you can," he said. "It's a lot better for the firm. If it's unencrypted the hacker gets a bunch of confidential information they can disclose." Griffin also noted a state's data breach notification requirement usually won't apply for breached encrypted data, which also avoids steep notification costs.

|

REvil

Hacking group REvil grabbed headlines in legal and general news media when it announced it obtained the client files of New York City-based entertainment firm Grubman Shire Meiselas & Sacks.

The hackers threatened to release hundreds of gigabytes of legal documents, including contracts, phone numbers, email addresses, personal communication, nondisclosure agreements and other information, according to reports. REvil wanted $21 million to not expose the business dealings of U2, Bruce Springsteen, Madonna, Nicki Minaj and many others.

While every law firm can't claim Lady Gaga as a client, every firm is still an attractive target to hackers, Sangster noted.

"This shows for law firms, no matter the practice you havethis isn't just being a supplier to a bank—you could be practicing family law or in this case entertainment law and it makes you a lucrative target," he said.

Indeed, Big Law and firms with high-profile clients aren't hackers' only targets. Notably, the week REvil announced it hacked Grubman Shire, Legal IT Insider reported REvil posted a screenshot of 11-lawyer firm Patten & Prentice's internal folder structure. 

Ken Caldwell, managing partner of the Scotland-based firm, told Legal IT Insider the firm was aware of the situation and was "taking appropriate action with our security experts."