Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Ransomware has continued to dominate the headlines, new attacks, new groups, new data leak sites, and new tactics. Quarter over quarter for the past 12 months, ransomware attacks have increased, with an overall increase of 458% from 2019 to 2020. In our Q1 Ransomware Trends Report of 2021, we additionally observed increased professionalization of ransomware groups, lowering technical barriers to entry to more threat actors as services such as ransomware-as-a-service (RaaS) hit the market. Also observed was an increased prominence of supply chain attacks in the ransomware landscape such as the Accellion breach.
While ransomware groups have shown that no industry sector is off-limits for their attacks, the legal services sector has seen the most significant increase in targeting from Q4 2020 to Q1 2021. This blog focuses on the shift in ransomware groups’ focus to legal services organizations.
Ransomware groups have gained a lot of attention from the media as groups shifted to the model of leaking the data that they stole and new ransomware operations were set up and announced practically every week Eventually, ransomware attacks began to make headlines for their exploits day after day. Digital Shadows (now ReliaQuest) reported 18 legal services organizations targeted by ransomware groups in Q4 2020 and 32 in Q1 2021, increasing 78 percent. From Q1 2020 to Q1 2021, ransomware attacks targeting the legal services industry increased 967%, from 3 reported organizations to 32.
Digital Shadows (now ReliaQuest) reported 18 legal services organizations targeted in Q4 2020 and 32 organizations in Q1 2021, indicating a 78% increase QoQ and a 967% increase YoY in legal services targeting by ransomware groups.
In May of 2020, Sodinokibi (REvil) ransomware group listed Grubman, Shire, Meiselas, & Sacks on their data leak site “Happy Blog”. Sodinokibi initially demanded a ransom of USD 21 million, which they doubled to USD 42 million after the law firm refused to pay the initial amount. Sodinokibi went on to leak the purported data of 12 clients of Grubman, Shire, Meiselas, & Sacks by posting it to their auction page in a failed attempt to push the firm to pay the ransom. Sodinokibi didn’t stop there; from February 2020 to May 2021, Digital Shadows (now ReliaQuest) reported on 95 legal services organizations targeted in ransomware attacks. Of those targeted attacks, Sodinokibi was responsible for 27 percent of them—26 organizations—making them the most active, known ransomware group for targeting legal services firms.
While the majority of major ransomware operators have now had a successful exploit of a legal services organization, Sodinokibi tops the chart. In addition to Sodinokibi, DarkSide and NetWalker followed with victim counts in the legal sector in the double digits. The graph above identifies the number of legal services organizations targeted by each ransomware type. The following groups targeted fewer than three organizations and, therefore, are excluded from the graph: Ako, Babuk Locker, Pay2Key, PYSA, Ragnar Locker, Ragnarok, Ryuk, Sekhmet, SunCrypt, and unattributed attacks.
The Legal Services sector includes a broad range of possible targets: law firms, courts, legal aid associations, legal services, and prosecutor’s offices. Organizations located in North America accounted for 80 percent of the 95 reported ransomware attacks targeting the legal services sector. Additionally, 93 of the targeted organizations were law firms.
93% of legal services organizations targeted by ransomware operators were law firms.
Ransomware groups targeted law firms of all sizes; however, law firms that employ 21 to 100 lawyers were targeted the most. Law firms that employ 21 to 100 employees accounted for 49 percent of the reported ransomware attacks reported by Digital Shadows (now ReliaQuest).
While tracking the data leak sites, I wondered if there was an increase in ransomware attacks as a whole or if the target audience had shifted. I found four industry sectors that decreased from Q4 2020 to Q1 2021, indicating that ransomware groups are shifting their focus from these industries to the targeting of the legal services sector:
A shift to law firms, significantly smaller law firms, seems to be an interesting shift in targeting for ransomware groups. I saw law firm after law firm named on several ransomware data leak sites— Happy Blog, Conti.News, DarkSide Leaks, etc.—I began to wonder why there was a shift in focus across the landscape.
Some plausible explanations for why these groups are targeting these organizations include that they make easy targets— with less security protocols in place and much valuable data to harvest— in addition to the higher chance of a payout. Others can conclude that if the ransomware is not paid, the valuable data can be sold on the dark web by itself, or the threat actor can satisfy political or personal motivations by targeting a victim that is ‘against’ their beliefs. I break out three of the main reasons below:
Easy targets
In October 2020, the American Bar Association reported that 29 percent of law firms said they had experienced a data breach, and 1 in 5 law firms did not know if they had experienced a data breach. Smaller firms are less likely to maintain an in-house security team, and they may be viewed as an easier target.
Higher chance of a payout
Organizations facing a ransomware attack typically pay the ransom when other options are not viable, such as using backups to restore data, not being able to afford the downtime, and preventing confidential data from being released.
Additionally, smaller law firms are likely to maintain cyber insurance, with 36 percent of surveyed law firms carrying cyber insurance in 2020. Ransomware operators may believe they are more likely to get a payment if the organization is covered by insurance.
Valuable data
Law firms keep many different data types, including personally identifiable information on clients and their families, case information, and confidential business information of their clients. When this type of information is exfiltrated, it creates a unique situation of the firm weighing the options of paying the ransom or facing the consequences.
For example, Epiq Global was targeted in a Ryuk ransomware attack in February 2020. In July 2020, a customer filed a lawsuit against the organization alleging that the ransomware attack led to the complainant’s social security number being accessed by attackers.
Ransomware-as-a-service groups allow vetted affiliates to use their tool to target victims; many groups require these affiliates to identify and prepare their targets. Aa a way to expedite that process affiliates gain access through Initial Access Brokers (IABs). IABs attempt to gain access to vulnerable organizations that they can then sell on criminal marketplaces to anyone willing to pay. Majority of the access listings advertise remote access through Remote Desktop Protocol (RDP) or a compromised Virtual Private Network (VPN).
For more information on initial access brokers, you can read our Initial Access Brokers Listings Increasing in 2021 blog.
The IAB post above advertises access to 30 unnamed organizations, including one US-based law firm. IABs do the hard work for many ransomware operators by gaining access to a victim network and escalating privileges to admin accounts. IABs tend to be opportunistic threat actors, so knowing what type of accesses are available and making your organization a difficult target can help mitigate the risk of IABs. Additionally, tracking these advertisements and comparing them to ransomware attacks can help researchers track ransomware groups and their tactics.
The legal services sector is likely to remain sought-after by ransomware groups throughout Q2 2021.This blog has covered a shift in ransomware group’s targeting over the previous 12 months. Previous behavior observed in ransomware groups has suggested that if one group has success with a tactic, other groups are likely to follow. Monkey See, Monkey Do! Sodinokibi, one of the most successful groups currently in operation, has proven the effectiveness of operating in this sector.
Although the target audience of ransomware groups has changed, the mitigation techniques have not. An organization’s planning should occur before a ransomware attack occurs. Safely storing backups, training employees, conducting cybersecurity risk assessments, and prioritizing patching are a few of the steps organizations can take to prevent ransomware attacks. And if you’d like to start taking a proactive approach in preventing attack by tracking ransomware trends and the active, relevant threats posed to your organization we recommend getting a free trial of Threat Intelligence with Search Light (now ReliaQuest GreyMatter Digital Risk Protection).
If you’re an existing Digital Shadows (now ReliaQuest) client, you can read more on tracking ransomware trends within Search Light (now ReliaQuest GreyMatter Digital Risk Protection) here. You’ll be able to use the search term, ransomware dumps, to set up alerts on new instances of data dumps on ransomware sites.