Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Secure Multi-Cloud Environments

Improve cloud security and overcome complexity across multi-cloud environments.

Secure Mergers and Acquisitions

Control cyber risk for business acquisitions and dispersed business units.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

On the Rise: Ransomware and the Legal Services Sector

admin 3 June 2021

Threat Intelligence

Ransomware has continued to dominate the headlines, new attacks, new groups, new data leak sites, and new tactics. Quarter over quarter for the past 12 months, ransomware attacks have increased, with an overall increase of 458% from 2019 to 2020. In our Q1 Ransomware Trends Report of 2021, we additionally observed increased professionalization of ransomware groups, lowering technical barriers to entry to more threat actors as services such as ransomware-as-a-service (RaaS) hit the market. Also observed was an increased prominence of supply chain attacks in the ransomware landscape such as the Accellion breach.

While ransomware groups have shown that no industry sector is off-limits for their attacks, the legal services sector has seen the most significant increase in targeting from Q4 2020 to Q1 2021. This blog focuses on the shift in ransomware groups’ focus to legal services organizations.

Which ransomware groups have shifted to target legal services?

Ransomware groups have gained a lot of attention from the media as groups shifted to the model of leaking the data that they stole and new ransomware operations were set up and announced practically every week Eventually, ransomware attacks began to make headlines for their exploits day after day. Digital Shadows (now ReliaQuest) reported 18 legal services organizations targeted by ransomware groups in Q4 2020 and 32 in Q1 2021, increasing 78 percent. From Q1 2020 to Q1 2021, ransomware attacks targeting the legal services industry increased 967%, from 3 reported organizations to 32.

Digital Shadows (now ReliaQuest) reported 18 legal services organizations targeted in Q4 2020 and 32 organizations in Q1 2021, indicating a 78% increase QoQ and a 967% increase YoY in legal services targeting by ransomware groups.

Figure 1: Number of legal services victim organization reported by Digital Shadows (now ReliaQuest) (Feb 2020 - May 2021) — *Figure 1: Number of legal services victim organization reported by Digital Shadows (now ReliaQuest) (Feb 2020 – May 2021)*

In May of 2020, Sodinokibi (REvil) ransomware group listed Grubman, Shire, Meiselas, & Sacks on their data leak site “Happy Blog”. Sodinokibi initially demanded a ransom of USD 21 million, which they doubled to USD 42 million after the law firm refused to pay the initial amount. Sodinokibi went on to leak the purported data of 12 clients of Grubman, Shire, Meiselas, & Sacks by posting it to their auction page in a failed attempt to push the firm to pay the ransom. Sodinokibi didn’t stop there; from February 2020 to May 2021, Digital Shadows (now ReliaQuest) reported on 95 legal services organizations targeted in ransomware attacks. Of those targeted attacks, Sodinokibi was responsible for 27 percent of them—26 organizations—making them the most active, known ransomware group for targeting legal services firms.

Figure 2: Number of targets per variant as reported by Digital Shadows (now ReliaQuest) (Feb 2020 - May 2021) — *Figure 2: Number of targets per variant as reported by Digital Shadows (now ReliaQuest) (Feb 2020 – May 2021)*

While the majority of major ransomware operators have now had a successful exploit of a legal services organization, Sodinokibi tops the chart. In addition to Sodinokibi, DarkSide and NetWalker followed with victim counts in the legal sector in the double digits. The graph above identifies the number of legal services organizations targeted by each ransomware type. The following groups targeted fewer than three organizations and, therefore, are excluded from the graph: Ako, Babuk Locker, Pay2Key, PYSA, Ragnar Locker, Ragnarok, Ryuk, Sekhmet, SunCrypt, and unattributed attacks.

Who is most susceptible to a ransomware attack within legal services?

The Legal Services sector includes a broad range of possible targets: law firms, courts, legal aid associations, legal services, and prosecutor’s offices. Organizations located in North America accounted for 80 percent of the 95 reported ransomware attacks targeting the legal services sector. Additionally, 93 of the targeted organizations were law firms.

93% of legal services organizations targeted by ransomware operators were law firms.

Ransomware groups targeted law firms of all sizes; however, law firms that employ 21 to 100 lawyers were targeted the most. Law firms that employ 21 to 100 employees accounted for 49 percent of the reported ransomware attacks reported by Digital Shadows (now ReliaQuest).

*Figure 3: Ransomware attacks by law firm size reported by Digital Shadows (now ReliaQuest) (Feb 2020 – May 2021)*

While tracking the data leak sites, I wondered if there was an increase in ransomware attacks as a whole or if the target audience had shifted. I found four industry sectors that decreased from Q4 2020 to Q1 2021, indicating that ransomware groups are shifting their focus from these industries to the targeting of the legal services sector:

Automobiles & Parts decreased 58 percent (26 Intel Updates to 11)
Construction & Materials decreased 39 percent (56 to 34)
Industrial goods & Services decreased 27 percent (193 to 140)
Pharmaceuticals decreased 88 percent (8 to 1).

Why are law firms increasingly targeted by ransomware actors?

A shift to law firms, significantly smaller law firms, seems to be an interesting shift in targeting for ransomware groups. I saw law firm after law firm named on several ransomware data leak sites— Happy Blog, Conti.News, DarkSide Leaks, etc.—I began to wonder why there was a shift in focus across the landscape.

Some plausible explanations for why these groups are targeting these organizations include that they make easy targets— with less security protocols in place and much valuable data to harvest— in addition to the higher chance of a payout. Others can conclude that if the ransomware is not paid, the valuable data can be sold on the dark web by itself, or the threat actor can satisfy political or personal motivations by targeting a victim that is ‘against’ their beliefs. I break out three of the main reasons below:

Easy targets

In October 2020, the American Bar Association reported that 29 percent of law firms said they had experienced a data breach, and 1 in 5 law firms did not know if they had experienced a data breach. Smaller firms are less likely to maintain an in-house security team, and they may be viewed as an easier target.

Higher chance of a payout

Organizations facing a ransomware attack typically pay the ransom when other options are not viable, such as using backups to restore data, not being able to afford the downtime, and preventing confidential data from being released.

Additionally, smaller law firms are likely to maintain cyber insurance, with 36 percent of surveyed law firms carrying cyber insurance in 2020. Ransomware operators may believe they are more likely to get a payment if the organization is covered by insurance.

Valuable data

Law firms keep many different data types, including personally identifiable information on clients and their families, case information, and confidential business information of their clients. When this type of information is exfiltrated, it creates a unique situation of the firm weighing the options of paying the ransom or facing the consequences.

For example, Epiq Global was targeted in a Ryuk ransomware attack in February 2020. In July 2020, a customer filed a lawsuit against the organization alleging that the ransomware attack led to the complainant’s social security number being accessed by attackers.

How do ransomware groups find their targets?

Ransomware-as-a-service groups allow vetted affiliates to use their tool to target victims; many groups require these affiliates to identify and prepare their targets. Aa a way to expedite that process affiliates gain access through Initial Access Brokers (IABs). IABs attempt to gain access to vulnerable organizations that they can then sell on criminal marketplaces to anyone willing to pay. Majority of the access listings advertise remote access through Remote Desktop Protocol (RDP) or a compromised Virtual Private Network (VPN).

For more information on initial access brokers, you can read our Initial Access Brokers Listings Increasing in 2021 blog.

*Figure 4: Initial access broker post advertising access to 30 organizations*

The IAB post above advertises access to 30 unnamed organizations, including one US-based law firm. IABs do the hard work for many ransomware operators by gaining access to a victim network and escalating privileges to admin accounts. IABs tend to be opportunistic threat actors, so knowing what type of accesses are available and making your organization a difficult target can help mitigate the risk of IABs. Additionally, tracking these advertisements and comparing them to ransomware attacks can help researchers track ransomware groups and their tactics.

How can I prevent or mitigate a ransomware attack?

The legal services sector is likely to remain sought-after by ransomware groups throughout Q2 2021.This blog has covered a shift in ransomware group’s targeting over the previous 12 months. Previous behavior observed in ransomware groups has suggested that if one group has success with a tactic, other groups are likely to follow. Monkey See, Monkey Do! Sodinokibi, one of the most successful groups currently in operation, has proven the effectiveness of operating in this sector.

Although the target audience of ransomware groups has changed, the mitigation techniques have not. An organization’s planning should occur before a ransomware attack occurs. Safely storing backups, training employees, conducting cybersecurity risk assessments, and prioritizing patching are a few of the steps organizations can take to prevent ransomware attacks. And if you’d like to start taking a proactive approach in preventing attack by tracking ransomware trends and the active, relevant threats posed to your organization we recommend getting a free trial of Threat Intelligence with SearchLight.

If you’re an existing Digital Shadows (now ReliaQuest) client, you can read more on tracking ransomware trends within SearchLight here. You’ll be able to use the search term, ransomware dumps, to set up alerts on new instances of data dumps on ransomware sites.