Marclay Research into Legal Firms Exposure to Ransomware


Marclay Dark Web Research Shows Legal Firms Account 
For Over 20% Of Successful Ransomware Attacks

Ransomware was widely considered to be one of the fastest growing business risks affecting medium sized companies in the UK in 2020 (alongside national lockdowns and Brexit). The Beazley Insurance Group estimates ransomware attacks are up 130% in 2020, and the value of the ransom demands are rising significantly, regularly hitting six or even seven figures.

As a hack, ransomware is particularly efficient for cyber-criminals. Once the ransomware tool is developed, hackers often engage a network of “Affiliates” to distribute the malicious code into company systems. In exchange for help with distributing the malware, Affiliates can earn up to 85% of the paid ransoms, making it a lucrative business for all involved.

In October 2020, the Marclay cyber-research team undertook a detailed analysis project into the dark web, with the objective of identifying the business sectors most affected by ransomware. We undertook interrogation of the 10 most active ransomware strains of 2020, including REvil, Nemty, Nephilim, Netwalker, DoppelPaymer, Ryuk, Sodinokibi, CLOP, Tycoon, and Sekhmet.

Our research focussed on open-source information (data publicly available to everyone on the internet) and no hacker groups were contacted or remunerated during the research project.

Over 1,000 ransomware incidents were analysed. The following percentage count outlines the sectors in which victim companies operate:

  • Legal – 21%
  • Manufacturing – 16%
  • Hospitality – 15%
  • Finance – 12%
  • Retail – 8%
  • Construction – 4%
  • Telecommunications – 3%
  • Other (e.g. agriculture, mining, advertising, etc) – 21%

 Legal firms were found to have the highest prevalence on ransomware blogsites, with manufacturing and hospitality coming in second and third, respectively.

The attraction for hackers to target law firms with ransomware is multi-faceted. Firstly, the data held is often of a sensitive or commercially private nature, and therefore the importance of data attracts a high value should it be commandeered by a hacker.

Secondly, legal firms are perceived to have available cash at hand, and hackers may believe that funds will be available to pay a ransom should the motivation be strong enough.

Thirdly, legal firms often have a lack of ownership or responsibility when it comes to data security. Whilst many law practices place emphasis on IT system availability and uptime, the ownership of information security is often overlooked, or not given the appropriate levels of focus.

In addition to the business sectors most targeted by hackers, we also looked at the type of data held under ransom, and the average lead-time that was given to the victim company prior to hackers deleting or leaking the information.

In 78% of the cases analysed, the hackers purported to have stolen or encrypted data which contained bank/financial information and customer data. In most cases, screenshots were provided on hacker blog sites showing sample sets of the stolen data to validate their claims of a successful hack.

The average response time given by hackers was 13 days, with the shortest response time of just 48hours.

The rise of ransomware in 2020 brings a stark reminder that businesses must constantly develop and strengthen their cyber-security strategy. Even if companies give cyber-security the right level of focus, there will always be a risk of falling victim to an attack, so having a clearly defined response plan in place is essential.

When it comes to cyber-insurance, a study conducted by Sophos earlier this year surveyed 5,000 IT Managers, and found that 84% of respondents have cybersecurity insurance, but only 64% have insurance that covers ransomware. This disconnect has the potential to cause major financial burden on companies that suffers a ransomware attack, as it is wrongly assumed their insurers will support the costly remedial measures should a ransomware attack occur.

It is now vital for companies to plan and prepare for a ransomware or cyber-attack, and to ensure they have a robust and clear strategy for responding to an incident. Sadly, in most cases it is not a case of if an attack will occur, but when.