Ransomware has continued to dominate the headlines, new attacks, new groups, new data leak sites, and new tactics. Quarter over quarter for the past 12 months, ransomware attacks have increased, with an overall increase of 458% from 2019 to 2020. In our Q1 Ransomware Trends Report of 2021, we additionally observed increased professionalization of ransomware groups, lowering technical barriers to entry to more threat actors as services such as ransomware-as-a-service (RaaS) hit the market. Also observed was  an increased prominence of supply chain attacks in the ransomware landscape such as the Accellion breach. 

While ransomware groups have shown that no industry sector is off-limits for their attacks, the legal services sector has seen the most significant increase in targeting from Q4 2020 to Q1 2021. This blog focuses on the shift in ransomware groups’ focus to legal services organizations.

Which ransomware groups have shifted to target legal services?

Ransomware groups have gained a lot of attention from the media as groups shifted to the model of leaking the data that they stole and new ransomware operations were set up and announced practically every week  Eventually, ransomware attacks began to make headlines for their exploits day after day. Digital Shadows (now ReliaQuest) reported 18 legal services organizations targeted by ransomware groups in Q4 2020 and 32 in Q1 2021, increasing 78 percent. From Q1 2020 to Q1 2021, ransomware attacks targeting the legal services industry increased 967%, from 3 reported organizations to 32. 

Digital Shadows (now ReliaQuest) reported 18 legal services organizations targeted in Q4 2020 and 32 organizations in Q1 2021, indicating a 78% increase QoQ and a 967% increase YoY in legal services targeting by ransomware groups.

Figure 1: Number of legal services victim organization reported by Digital Shadows (now ReliaQuest)  (Feb 2020 - May 2021)
Figure 1: Number of legal services victim organization reported by Digital Shadows (now ReliaQuest)  (Feb 2020 – May 2021)

In May of 2020, Sodinokibi (REvil) ransomware group listed Grubman, Shire, Meiselas, & Sacks on their data leak site “Happy Blog”. Sodinokibi initially demanded a ransom of USD 21 million, which they doubled to USD 42 million after the law firm refused to pay the initial amount. Sodinokibi went on to leak the purported data of 12 clients of Grubman, Shire, Meiselas, & Sacks by posting it to their auction page in a failed attempt to push the firm to pay the ransom. Sodinokibi didn’t stop there; from February 2020 to May 2021, Digital Shadows (now ReliaQuest) reported on 95 legal services organizations targeted in ransomware attacks. Of those targeted attacks, Sodinokibi was responsible for 27 percent of them—26 organizations—making them the most active, known ransomware group for targeting legal services firms. 

Figure 2: Number of targets per variant as reported by Digital Shadows (now ReliaQuest) (Feb 2020 - May 2021)
Figure 2: Number of targets per variant as reported by Digital Shadows (now ReliaQuest) (Feb 2020 – May 2021)

While the majority of major ransomware operators have now had a successful exploit of a legal services organization, Sodinokibi tops the chart. In addition to Sodinokibi, DarkSide and NetWalker followed with victim counts in the legal sector in the double digits. The graph above identifies the number of legal services organizations targeted by each ransomware type. The following groups targeted fewer than three organizations and, therefore, are excluded from the graph: Ako, Babuk Locker, Pay2Key, PYSA, Ragnar Locker, Ragnarok, Ryuk, Sekhmet, SunCrypt, and unattributed attacks. 

Who is most susceptible to a ransomware attack within legal services?

The Legal Services sector includes a broad range of possible targets: law firms, courts, legal aid associations, legal services, and prosecutor’s offices. Organizations located in North America accounted for 80 percent of the 95 reported ransomware attacks targeting the legal services sector. Additionally, 93 of the targeted organizations were law firms. 

 93% of legal services organizations targeted by ransomware operators were law firms.

Ransomware groups targeted law firms of all sizes; however, law firms that employ 21 to 100 lawyers were targeted the most. Law firms that employ 21 to 100 employees accounted for 49 percent of the reported ransomware attacks reported by Digital Shadows (now ReliaQuest).

Figure 3: Ransomware attacks by law firm size reported by Digital Shadows (now ReliaQuest)  (Feb 2020 – May 2021)

While tracking the data leak sites, I wondered if there was an increase in ransomware attacks as a whole or if the target audience had shifted. I found four industry sectors that decreased from Q4 2020 to Q1 2021, indicating that ransomware groups are shifting their focus from these industries to the targeting of the legal services sector: 

  • Automobiles & Parts decreased 58 percent (26 Intel Updates to 11)
  • Construction & Materials decreased 39 percent (56 to 34)
  • Industrial goods & Services decreased 27 percent (193 to 140)
  • Pharmaceuticals decreased 88 percent (8 to 1).

Why are law firms increasingly targeted by ransomware actors?

A shift to law firms, significantly smaller law firms, seems to be an interesting shift in targeting for ransomware groups. I saw law firm after law firm named on several ransomware data leak sites— Happy Blog, Conti.News, DarkSide Leaks, etc.—I began to wonder why there was a shift in focus across the landscape. 

Some plausible explanations for why these groups are targeting these organizations include that they make easy targets— with less security protocols in place and much valuable data to harvest— in addition to the higher chance of a payout. Others can conclude that if the ransomware is not paid, the valuable data can be sold on the dark web by itself, or the threat actor can satisfy political or personal motivations by targeting a victim that is ‘against’ their beliefs. I break out three of the main reasons below:

Easy targets

 In October 2020, the American Bar Association reported that 29 percent of law firms said they had experienced a data breach, and 1 in 5 law firms did not know if they had experienced a data breach. Smaller firms are less likely to maintain an in-house security team, and they may be viewed as an easier target.

Higher chance of a payout

Organizations facing a ransomware attack typically pay the ransom when other options are not viable, such as using backups to restore data, not being able to afford the downtime, and preventing confidential data from being released. 

Additionally, smaller law firms are likely to maintain cyber insurance, with 36 percent of surveyed law firms carrying cyber insurance in 2020. Ransomware operators may believe they are more likely to get a payment if the organization is covered by insurance.

Valuable data

Law firms keep many different data types, including personally identifiable information on clients and their families, case information, and confidential business information of their clients. When this type of information is exfiltrated, it creates a unique situation of the firm weighing the options of paying the ransom or facing the consequences.

 For example, Epiq Global was targeted in a Ryuk ransomware attack in February 2020. In July 2020, a customer filed a lawsuit against the organization alleging that the ransomware attack led to the complainant’s social security number being accessed by attackers. 

How do ransomware groups find their targets?

Ransomware-as-a-service groups allow vetted affiliates to use their tool to target victims; many groups require these affiliates to identify and prepare their targets. Aa a way to expedite that process affiliates gain access through Initial Access Brokers (IABs). IABs attempt to gain access to vulnerable organizations that they can then sell on criminal marketplaces to anyone willing to pay. Majority of the access listings advertise remote access through Remote Desktop Protocol (RDP) or a compromised Virtual Private Network (VPN). 

For more information on initial access brokers, you can read our Initial Access Brokers Listings Increasing in 2021 blog. 

Figure 4: Initial access broker post advertising access to 30 organizations

The IAB post above advertises access to 30 unnamed organizations, including one US-based law firm. IABs do the hard work for many ransomware operators by gaining access to a victim network and escalating privileges to admin accounts. IABs tend to be opportunistic threat actors, so knowing what type of accesses are available and making your organization a difficult target can help mitigate the risk of IABs. Additionally, tracking these advertisements and comparing them to ransomware attacks can help researchers track ransomware groups and their tactics. 

How can I prevent or mitigate a ransomware attack?

The legal services sector is likely to remain sought-after by ransomware groups throughout Q2 2021.This blog has covered a shift in ransomware group’s targeting over the previous 12 months. Previous behavior observed in ransomware groups has suggested that if one group has success with a tactic, other groups are likely to follow. Monkey See, Monkey Do! Sodinokibi, one of the most successful groups currently in operation, has proven the effectiveness of operating in this sector.

Although the target audience of ransomware groups has changed, the mitigation techniques have not. An organization’s planning should occur before a ransomware attack occurs. Safely storing backups, training employees, conducting cybersecurity risk assessments, and prioritizing patching are a few of the steps organizations can take to prevent ransomware attacks. And if you’d like to start taking a proactive approach in preventing attack by tracking ransomware trends and the active, relevant threats posed to your organization we recommend getting a free trial of Threat Intelligence with Search Light (now ReliaQuest GreyMatter Digital Risk Protection).

If you’re an existing Digital Shadows (now ReliaQuest) client, you can read more on tracking ransomware trends within Search Light (now ReliaQuest GreyMatter Digital Risk Protection) here. You’ll be able to use the search term, ransomware dumps, to set up alerts on new instances of data dumps on ransomware sites.