A: In a new 2023 campaign, ransomware criminals began targeting legal professionals by poisoning search results on the web. Let’s say you search for useful forms using a legal term and click on a top-ranking search result. You risk downloading both the form and ransomware.
Attacking Legal Organizations of All Sizes
The Blackcat ransomware gang floods the Internet with malicious web pages and infected advertisements. They stuff their phony pages with 3.5 million occurrences of targeted search words and phrases. Most of them are legal terms.
The gang effectively poisons legal search results. Their pages rank high in search engines such as Google. So, legal organizations of all sizes become targets, not just the big law firms whose data breaches make the headlines.
Targeting Legal Professionals
Half of the Gootloader attacks strike the legal sector.
Joe Stewart, a principal security researcher at eSentire, observed, “This [is] what I call a landmine approach. They’re just mining the entire web with these search keywords and just waiting for somebody in the legal profession, or somebody who needs this legal document, to just stumble on it and open it up. . . .”
The vast majority of files dropped by Gootloader set off ransomware.
Small Firm Risks
Ilia Kolochenko, chief architect at ImmuniWeb, observed that law firms are often small, composed of one or two people, so they lack the cybersecurity knowledge of the larger firms. “Solo practitioners and small law firms are usually poorly protected, having very modest budgets for cybersecurity,” said Kolochenko.
Protection Against Malicious Web Pages
Antivirus companies do their best to keep up with the criminals, quarantining known bad files and blocking malicious programs based on behavior. You need antivirus protection to detect those known dangerous files and behaviors. But, sadly, the hackers keep winning. Large numbers of their continually altered files make it through antivirus services to cause harm.
Cloudflare, a web performance and security company, advises, “remote browser isolation (RBI) technology . . . can automatically isolate suspicious email links to prevent users from being exposed to potentially malicious web content.”
RBI integrated into web browsers offers the same protection against both infected search results and phishing emails. If you click on a bad link, whoa!, you see a warning screen and maybe an option to safely view a screenshot of the dangerous webpage.
The features and pricing of RBI products vary. Researchers at the RBI companies are constantly updating and expanding their analytic technologies. They identify never-before-seen threats based on the techniques used by criminals to design their phony websites.
Examples of RBI subscription services include:
- Ericom Zerotrust Web Isolation, Ericom Solutions, Jerusalem, Israel
- Zscaler Browser Isolation, Zscaler, Inc., San Jose, California
- CrimeBlocker, SecureMyFirm Inc., Minneapolis, Minnesota [Disclaimer: This is the author’s company]