[BreachExchange] Ransomware Attacks Hit Three Law Firms in Last 24 Hours

Tue Feb 4 10:09:57 EST 2020

https://www.lawsitesblog.com/2020/02/ransomware-attacks-hit-three-law-firms-in-last-24-hours.html

Five U.S. law firms — three in the last 24 hours — have been among the
companies and organizations targeted by a new round of ransomware
attacks. In two of the cases, a portion of the firms’ stolen data has
already been posted online, including client information.

This according to Brett Callow, a threat analyst with Emsisoft, a
cybersecurity company that is also an associate partner in the No More
Ransom Project, an initiative between multiple law enforcement
agencies and the private sector.

Hackers have stolen data from at least five law firms, using the
threat of releasing the data to extort payment from the firms, Callow
said. In the two cases in which hackers already posted law firm data,
they published it on the clear web where it can be viewed by anybody.

The hackers are using the so-called Maze ransomware, which was the
subject of a warning issued to companies earlier this month by the
FBI. Earlier this week, Ars Technica reported that victims of the Maze
 ransomware attacks have included a grocery chain, a CPA firm, and a
college.

The hackers infiltrate systems using email with malicious attachments,
Callow said. He does not know the exact nature of the emails being
used against law firms, but he assumes they are being crafted in such
a way that lawyers are likely to open them.

Their modus operandi is to initially name the companies they’ve hit on
their website and, if that doesn’t convince the companies to pay, to
publish a small of the amount of their data as “proofs.”

“This makes sense,” Callow said. “The more data they publish and the
more sensitive that data is, the less incentive an organization has to
pay to prevent the remaining data being published. It’s the equivalent
of a kidnapper sending a pinky finger.”

If the organization still doesn’t pay, the remaining data is
published, sometimes on a staggered basis, he said.

The group has also published data in Russian hacker forums with a note
to “Use this information in any nefarious ways that you want,” Callow
said.

Once a company does pay, then its name is removed from Maze’s website.

If any reader has more information on the nature of the emails being
used, please let me know and I’ll update this post.