I know I keep beating the Ransonware 2.0 drum, but there is a reason for it. There is not a good response to it other than to stop it from happening.
According to media reports, Maze ransomware hackers have attacked 5 law firms in the last 30 days and 3 law firms in the last 24 hours from when the report was written.
More importantly, the hackers posted some of the data on the web – and not the dark web but rather the normal web for everyone to see – to prove that they exfiltrated data before they encrypted it.
The hackers are demanding $1 million for the decryption keys and another $1 million to not sell the data. From some of the attacks we have seen the data posted with a note asking other hackers to do as much damage as possible with the data.
So far, the media is not naming these law firms, but that will only last so long.
Hmmm. So long is not very long at all.
Doing another Google search, the firms are:
- Bangs McCullen
- Lynn, Jackson, Shultz & Lebrun
- Costello Porter
Obviously, the objective here is the embarrass the firms and hopefully get them to pay up. And act as a warning to other firms.
With ransomware 2.0, having backups is not sufficient.
If the hackers threaten to publish, for example, your client’s confidential information in your care, what is your plan?
A couple of thoughts from the client’s side. Many of you engage law firms. If you look at the engagement agreement, it probably says that they are not liable if they are hacked. I would suggest that you get out your marker and cross that out and sign it. If the law firm won’t agree to removing that, find a different firm. There are lots of them.
Larger clients are asking prospective law firms for a copy of their most recent cyber risk assessment, or at least a summary version of it.
They are also asking about what kind of training the firms do and what policies they have in place. What kind of threat detection solutions are being used.
These are all legitimate questions.
Of course, you need someone knowledgeable on your side to evaluate the answers, too.
One reason they are going after law firms is that if you attack a single firm, they get information hundreds of companies or more.
On your Vendor Cyber Risk Management program (VCRM), law firms should be considered high risk vendors.
In the agreement with the firm is there an arbitration requirement? Typically arbitration works in favor of the firm and not you.
Also note that there is no law that requires your law firm to tell you if your company confidential information is breached (unless there is personal information in there too). Make sure that your agreement requires that they notify you if they are hacked. Quickly.
Do they have cyber risk insurance? Do you have to hope that the firm has enough cash to repair the damage?
If you have any questions about this, please contact us.