cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hackers have stolen £4m from UK law firms in ransomware campaign

The UK Solicitors Regulation Authority (SRA) report has found that 75 per cent of law firms in the UK have been victims of a cyber attack out of 40 UK practices investigated, with 23 out of those reporting that the firm had been directly targeted.

user iconReporter
Thu, 09 Jun 2022
Hackers have stolen £4m from UK law firms in ransomware campaign
expand image

The SRA report revealed that "half of the firms were found to have allowed unrestricted use of external data storage media", with hackers stealing £4 million of client money so far.

The risk is high for legal practices which means ransom is more likely to be paid out, and the demands of malicious cyber actors, or group demands will be met. Lawyers need to keep all notes on a case and hackers are keen to exploit it by exfiltrating data.

In an interview with Law Firm Ambition, Brian Inkster, founder of Inksters Solicitors explained that the relationships that exist between legal practices and its customers are foundational to their reputation.


"In many ways, your reputation is your brand.

"It attracts people to the firm."

"From then on, every time you interact with a client, by living up to your 'brand values' you can confirm what they think and strengthen [or weaken] your reputation," Inkster said.

Compared to other industries, those within the legal sector have an elevated risk to cyber threats, primarily due to the confidential data and sensitive client information available if a breach is successful.

According to the SRA data, legal practices depend on reputation and the relationships, but the report has found that security is "not often at the top of the priority list for legal practices".

In 2017, DLA Piper, one of the largest law practices, was hit by a ransomware attack that cost the firm millions. It was a significant ransomware attack as the "EternalBlue" hacking tool had been used to conduct the breach which cost the firm both directly and indirectly. According to TitanFile, EternalBlue "was rumoured to have been stolen from the NSA, and other methods to increase its reach and cause its damage". In the past five years, cyber threats have only evolved and become more sophisticated, which emphasises the need for legal practices to be proactive with threat hunting, rather than reactive.

The Legal Services Global Market Report has revealed that the legal industry is expected to "grow from $713.12 billion in 2021 to $788.94 billion in 2022 at a compound annual rate (CAGR) of 10.6 per cent". With infiltration being made via ransomware, phishing supply chain attacks, most cyber threat actors are driven by a potentially substantial financial payoff after a successful breach.

According to SRA, Campbell Conroy & O'Neil PC is a significant example of the many legal practices hit by a ransomware attack in 2021. The company was unable to access files that were critical to their clients and contained personal information following the breach. The legal practice issued an announcement regarding the breach, which confirmed the gravity of the situation and the lack of knowledge surrounding the amount of information lost.

"We cannot confirm if the unauthorised actor accessed or viewed any specific information relating to individuals.

"However, we determined that the information present in the system included certain individuals' names, dates of birth, driver's license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords)," Campbell Conroy & O'Neil PC stated in the announcement.

Corrupt emails containing malicious links are usually the method in which phishing attacks are directed at the legal sector.

Clever phishing attack campaigns often initiate full-blown ransomware attacks. Email addresses and domain names can be easily spoofed, which is why it is essential to be vigilant when reading, opening, and responding to messages:

  • Do not open attachments from an untrusted/unknown sender.
  • Check for typos as these are a good indicator of a fake email.
  • Do not share sensitive information hastily, be sure you are sending to who you think you are sending to.
  • Don’t fall for URGENCY, especially when it comes from out of the blue.
  • Don’t open links if you are not certain of what they are or who the sender is.
  • If you think the email/link may be real, hover over attachments to check for an actual link, before you click on it or download anything.
  • If messages sound too good to be true, chances are they are malicious and just trying to entice you.
  • Keep your devices up to date.
  • Regularly check your accounts.
  • Finally, when in doubt, message your security team/manager instantly if you suspect anything out of the norm.

The Ransomware Threat Landscape white paper highlighted that "new ransomware strains are emerging to leverage file-less malware and data exfiltration tactics, while opportunistic attackers are using any change in circumstances to launch more effective campaigns".

One of the major challenges are conventional security tools that are only capable of detecting known cyber threats using rules and signatures. Evolving strains of ransomware means such signatures may not exist and can be undetectable. Additionally, security teams cannot keep up with these threats using the traditional controls alone, especially when understaffed or out-of-office.

According to the latest Chartered Institute of Procurement & Supply (CIPS) data, supply chain attacks rose by 42 per cent in the first quarter of 2021 in the US. Exploitation of third-party data stores, case management systems, or legal software providers is one of the ways a law firm's supply chain can be compromised.

Finally, two forms of internal threats emerged via current and former employees. A trusted employee who unintentionally breaches data comes down to a lack of education/training internally as the user is unaware that their actions are causing the business harm.

In other scenarios, information has been leaked intentionally by ex-employees for their own gain. Payment or coercion from a threat group could have motivated the individual, or the attack could be down to a personal grudge against the organisation/individual within the company.

According to the Identity Theft Resource Center (ITRC), "supply chain, phishing, and ransomware attacks reflect a broader trend that cyber criminals want to exploit multiple organisations through a single point-of-attack", indicating that internal cyber security training, upgrading or bolstering security software is now an essential business practice.

[Related: Data ‘shared by mistake’ driving up major cyber security risk]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.