chevron-down Created with Sketch Beta.

GPSolo eReport

GPSolo eReport July 2023

Ransomware: Protection Measures for Law Firms

Girish Chiruvolu


  • Any business that is even remotely connected to the Internet and doing online transactions should be aware of the term “ransomware.” Law firms, no matter how big or small, are no exception.
  • Ransomware is a type of malware/virus that can lock out victims from their own computer/network systems and only let them back in when the bad actor’s ransom demands are met.
  • To combat ransomware, law firms must identify their critical systems and confidential data, protect their systems with antivirus software and authentication processes, and maintain immutable backups.
Ransomware: Protection Measures for Law Firms
Hispanolistic via Getty Images

Jump to:

In the current world of cybersecurity, any business that is even remotely connected to the Internet and doing online transactions should be aware of the term “ransomware.” Law firms, no matter how big or small, are no exception. Protecting clients’ confidential information is of the utmost importance, and lawyers are ethically obligated to secure their clients’ case-related confidential data and documents.

Notable law firms that have been impacted by ransomware attacks include Campbell Conroy & O’Neil P.C.; Fragomen, Del Rey, Bernsen & Loewy; Grubman Shire Meiselas & Sacks; Jenner & Block; K&L Gates LLP; Kirkland & Ellis LLP; and Proskauer Rose, to name a few. The costs of these attacks ranged from a few hundred thousand to millions of dollars, depending on the size of the firm and the nature of the data the bad actors were able to exfiltrate.

So, what exactly is ransomware, why is it so dangerous for law firms in particular, and how can you protect yourself and your firm?

Understanding Ransomware

Simply put, ransomware is a type of malware/virus (software) that can maliciously lock out victims from their own computer/network systems and bundle critical files and client data in such a way that only when the bad actor’s “ransom” demands are met will the victims be able to unlock the data and get back to normal operations. Ironically, these attacks use the same technology that lawyers rely on to keep all their online communications safe from eavesdropping: encryption.

They are three fundamental components of an encryption-based ransomware attack, namely:

  1. the assets or valuables that need protection, in this case, critical files, data, and systems;
  2. the owner of the assets, whose survival or continued operation depends on these assets and thus is potentially willing to meet any nefarious demands to repossess them; and
  3. the attacker, who targets the owners, gets hold of the assets illegally, and demands ransom money from the owner.

There is one additional technical component in the cryptography world that is relevant to ransomware: plaintext versus ciphertext. Plaintext is the original data (e.g., documents, video files, etc.); it is “consumable” by people and the computer systems they use to continue normal business operations. When the plaintext is encrypted with a digital key, it becomes a ciphertext that needs to be decrypted again to be consumable once more. Using computational brute force to decrypt the ciphertext and get back the plaintext using various combinations of digital keys is next to impossible once a bad actor has encrypted it; given the current level of computing power, the effort could take hundreds of years.

Adding salt to the wound, most ransomware payments are demanded in cryptocurrency, which makes it difficult, if not totally impossible, to trace the destination receipt of the payments. Further, even if the ransom is paid and access to the data is restored to the owner, bad actors can periodically and repeatedly demand additional ransom money by threatening to release a copy of the victim’s sensitive data to the public.

Protecting Your Law Firm Against Ransomware

Any security controls aimed at addressing ransomware attacks are best grouped into and aligned with the National Institute of Standards and Technology’s Cybersecurity Framework (CSF), which can be summarized broadly as: identify, protect, detect, respond, and recover. We will focus on the first two, but the last three are also important operational steps to recover from any attack. For law firms, they translate into:

  • Identify. Identify your critical systems and applications, as well as your clients’ confidential data.
  • Protect. Best practices include required authorization and authentication, antivirus software, encrypted backups, and staff training.
  • Detect, respond, and recover. These three are interconnected, but it is worth mentioning that immutable backups play a crucial role in responding to and recovering from ransomware attacks. The better the backups, the less urgency there is to pay a ransom. Security experts recommended that businesses maintain at least one air-gapped backup (i.e., a backup that is not connected to the Internet 24/7).

For the last three years (2020–2023), the most common entryways for cyberattacks such as ransomware have been (1) email phishing; (2) compromised credentials (passwords, etc.); (3) software vulnerabilities, including operating system vulnerabilities that potentially can be exposed to the Internet; and (4) disgruntled insiders (or soon to be ex-employees). These are the areas where you should look to enhance your law firm’s security.

Strengthen Your Access Credentials

Eighty-five percent of ransomware infections are due to the users’ own activity and compromised credentials. Time and again, these have been the main and easy paths for hackers to infiltrate any organization and plant malware. Although it helps to add layers of defense such as multi-factor authentication (e.g., entering both a password and a one-time code sent to the user’s smartphone), these defenses are not foolproof, and businesses as large as Microsoft and Google have reported attacks that bypassed their multi-factor authentication systems. Security experts now strongly recommend moving away from traditional login passwords and transitioning toward better solutions such as bearer-aware authentication codes that are anti-theft, anti-replay, anti-phish, and anti-bypass.

Keep Your Anti-Malware Software Up-to-Date

Ensure that your antivirus software is updated regularly and has capabilities beyond signature-based virus detection. These non-signature-based techniques go beyond recognizing known malware signatures and detect abnormal activity and behavior of morphable viruses/malware.

Maintain Good Backups

While a good system for creating backups is generally considered to be a preventative measure, it is actually one of the important controls in the protection against ransomware. As a general rule, one should aim at a 3-2-1 backup strategy for your invaluable data: three backups with at least two different media (e.g., both cloud backup and USB local backup) and at least one air-gapped backup.

For the cloud storage backup, use the native encryption capabilities offered by the vendor so that all confidential data is encrypted at rest/storage. Ensure the safety of the encryption keys with strong authentication. This ensures that even if bad actors get hold of your valuable data, they still cannot extract ransom by threatening to publish it as plaintext.

Restrict Access and Authorization

Reduce the number of users with privileged access to confidential data and systems. Use “least-privilege,” role-based access control: Users should have access only to those systems and data that are necessary for them to perform their jobs.

Reduce the number of third-party users and clients on shared storage systems, especially regarding the intake and exchange of confidential data. The compromise of a single user credential by hackers can lead to the injection of malware-embedded documents into the shared system; these documents, when opened or shared, then trigger the infection of local systems. When a case engagement is closed with a client, it is best practice to remove or temporarily suspend the active account for that client on your systems.

Closing Advice

Here are four basic steps your law firm can take to guard against ransomware and other cybersecurity attacks:

  1. Invest in a secure system with up-to-date security measures. This will ensure that your data stays safe and secure and will also give you peace of mind knowing that you are doing all you can to protect your practice.
  2. Educate your staff on the importance of cybersecurity and how to keep their passwords and credentials safe. This will help to reduce the risk of a breach and make sure that your clients’ data is secure.
  3. Regularly monitor your system for any potential threats or suspicious activity. This will help you detect any potential security threats quickly and take the necessary steps to mitigate them.
  4. Make sure that your business is compliant with all applicable laws and regulations. This is important to help protect you from potential malpractice lawsuits due to data breaches or unauthorized access to client confidential data.