Threat Intelligence

Ransomware Attacks on Law Firms

Daniel Dimov
July 11, 2016 by
Daniel Dimov

1. Introduction

Since 2015, information security specialists have been stressing that the number of ransomware attacks against law firms has increased significantly. In simple words, Ransomware is a malware which restricts access to information stored on a computer and demands the user of that computer to pay a ransom to remove the restriction. Firms providing legal services are attractive targets for ransomware attacks because many of them are ready to pay to cyber criminals to avoid the negative reputational consequences which arise from the failure to protect their clients' sensitive information.

Our article examines the anatomy of ransomware attacks (Section 2). Next, it discusses major ransomware attacks on law firms in the United States, Canada, and Ireland (Section 3). Afterward, we provide recommendations on how law firms can avoid potential ransomware attacks (Section 4). At the end of the article, a conclusion is drawn (Section 5).

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

2. The anatomy of ransomware attacks

Typically, a ransomware attack consists of four stages, namely, (1) infection with ransomware, (2) activation of ransomware, (3) request for ransom, and (4) payment of a ransom. These four stages will be examined in more detail in Sections 2.1-2.4, respectively.

2.1 Infection with ransomware

Not a long time ago, ransomware was spread mainly through spam e-mails. However, due to the advancement of anti-spam technologies, cyber extortionists turned to phishing, i.e., a cyber-attack aimed at collecting sensitive information from an unsuspecting user by imitating a trustworthy source. According to James Trainor, a Cyber Division Assistant at FBI, the latest trend in ransomware propagation relates to seeding legitimate websites with malware.

2.2 Activation of ransomware

Ransomware is usually activated immediately after being installed on the victim's computer. Depending on ransomware's operations, we can distinguish three types of such malware, namely, (1) ransomware which simply locks the infected computer, (2) ransomware which encrypts files stored on the infected computer, and (3) ransomware which show ads on victim's computer.

Out of the three types of ransomware mentioned above, the second type is most difficult to tackle. The malware entitled 'CryptoWall' is a typical example of ransomware which encrypts victim's files. It copies and encrypts commonly used office file extensions, such as .doc and .xls. Afterward, CryptoWall deletes the original files. Thus, the victims are unable to restore their files unless paying the ransom. A representative of the Counter Threat Unit at Dell SecureWorks stated that CryptoWall has affected over 600.000 computers in a period of just six months at the beginning of 2014.

2.3 Asking for a ransom

After being activated, ransomware displays a message to the victim containing instructions on how a ransom can be wired to the crooks. The creators of ransomware usually ask for nominal payments (e.g., USD 200-300) to incentivize the victims to pay without conducting expensive cyber security investigations. By way of illustration, earlier this year, extortionists infected the computers of the Melrose Police Department in Massachusetts with ransomware and asked for a ransom amounting to a single Bitcoin (at present, 1 Bitcoin equals USD 736,87). After paying the ransom, the police regained the control over the restricted files.

2.4 Payment of a ransom

The ransom is usually wired through Western Union or sent in the form of Bitcoins. The reason for using such payment methods lies in the fact that Western Union and Bitcoin transactions are difficult to track. Therefore, the origin of the attacks can remain camouflaged. In this regard, Craig Williams, a security expert at Cisco, stated: "The ability to demand payment in bitcoin, a difficult-to-trace virtual currency not controlled by any country, was ' the birth of ransomware' and has helped drive its success since the currency's introduction in 2009."

3. Ransomware attacks on law firms in the United States, Canada, and Ireland

Law firms of all sizes are vulnerable to ransomware. However, small law firms which lack financial resources necessary for the development of comprehensive security programs are especially susceptible to information security attacks. In this section, we will focus on recent ransomware attacks on law firms in three countries, namely, the United States (Section 3.1), Canada (Section 3.2), and Ireland (Section 3.3).

3.1 The United States

At present, CryptoWall is one of the biggest threats to law firms in the United States. Ryan Johnson, a legal technology specialist, describes in detail a real CryptoWall attack on one U.S. law firm. The employees of the legal company learned about the attack when they found unusual files (e.g., "HELP_DECRYPT") on the law firm's computers. The files were encrypted versions of office file extensions commonly used by company's employees. The original versions of the files were deleted. The criminals requested to transfer a ransom of USD 700 in exchange for the supply of an encryption key which would help to regain the access to the files. However, the firm refused to obey cyber criminals' request. Commenting on company's decision to refuse to pay the ransom, Ryan Johnson stated: "Though we had roughly triple that amount in lost productivity and billable hours fixing this mess, negotiating with terrorist simply wasn't an option!" The attacked law firm deleted the infected files and replicated their backup drive to the previously infected drive. It took them two days to restore 1.5 terabytes of targeted data.

3.2 Canada

After a number of law firms in British Colombia, Canada, were infected with ransomware, the Law Society of British Columbia issued an official warning informing its members about the risks posed by ransomware attacks. The companies that were targeted by cyber criminals preferred to remain anonymous to avoid potential reputational damages.

The Law Society of British Columbia published detailed information on the ransomware attack on a law firm in British Columbia. The law firm became aware of the attack on 29th of December 2014 when the following notices appeared on the monitors of the firm: "Your files were encrypted and locked with an RSA2048 key." The ransomware requested the firm to contact certain address within 12 hours and pay the requested ransom. Furthermore, the malicious program threatened the firm that the fee would double in case of a non-payment within the specified period. The company succeeded to recover the deleted files by using its backup systems and informed police officers about the attack. In relation to the increasing number of ransomware attacks on law firms in Canada and worldwide, the Law Society of British Columbia reminded its members of their obligation to take reasonable efforts for protecting their computer systems, using regular backup procedures, and avoiding opening suspicious files.

3.3 Ireland

Similarly to its Canadian counterpart, the Law Society of Ireland also stressed the importance of safeguarding against the risks posed by ransomware attacks. The warning came after more than a dozen Irish law firms were hit by ransomware attacks in a short period. Although the targeted firms managed to recover their data without paying any ransom, some attacked companies experienced significant data losses. One Irish solicitor described the ransomware attack on his law practice as "potentially disastrous for his firm".

4. Recommendations on how law firms can avoid ransomware attacks

Although one simple mouse click can open the door to ransomware, there are measures that can help to avoid such a cyber threat. Below, we provide nine recommendations on how law firms can avoid falling victims to ransomware attacks.

(i) Since ransomware infections often occur through phishing, organizations need to develop comprehensive information security awareness programs. Such programs are the most effective protection against phishing attacks. Even the best anti-virus software cannot stop an employee from opening a malicious email attachment.

(ii) Organizations need to prepare a robust plan on how to act in case of a ransomware attack. Thus, as an actual attack occurs, they will be able to restore the encrypted files quickly without much hassle.

(iii) As mentioned above, fraudsters often insert ransomware in copies of legitimate websites. Insertion of ransomware in pop-ups is a popular technique for spreading malware. Therefore, organizations are advised to enable their pop-up blockers.

(iv) Since antivirus software may detect and neutralize ransomware, the installation of reputable and up-to-date antivirus program should be considered as an important measure for preventing malware attacks.

(v) Some types of ransomware automatically send personal data to criminals. Thus, it is advisable to disconnect the computer infected with ransomware immediately after noticing the malware.

(vi) Law enforcement authorities usually have extensive experience in dealing with ransomware. That is why they should be the first point of contact in case of such attacks.

(vii) Many insurance brokers offer cyber security insurance packages which cover various information security incidents, including ransomware attacks. Such cyber security insurance may mitigate the financial consequences of ransomware attacks.

(viii) To be activated, ransomware should be installed on a computer. Hence, restricting employees of a law firm from installing any software on their computer without the authorization of a cyber security professional can be an effective ransomware prevention measure.

(ix) Payments of a ransom need to be avoided for two reasons. Firstly, there is no guarantee that the file restrictions will be lifted. Secondly, such payments incentivize cyber criminals to continue propagating ransomware.

5. Conclusions

This article has explained the operation of ransomware, a rapidly growing malware attack, discussed several ransomware incidents on law firms, and provided recommendations on how to improve the protection of company's digital infrastructure against such attacks. Although most of the examined ransomware attacks were well-managed by the targeted law firms, there can be a large number unpublished cases of such cyber crimes which resulted in financial and companies' data losses. As pointed out above, law firms may prefer not to announce information security incidents to keep their reputation intact. Consequently, the threats of ransomware should not be underestimated just because the reports describing ransomware attacks are lacking.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.


  1. 'BC law firm's computer system hacked by extortionist', The Law Society of British Columbia, 31 December 2014. Available at .
  2. Bushey, C., 'Russian cyber criminal targets elite Chicago law firms', Crain's Chicago Business, 29 March 2016. Available at
  3. 'Cryptolocker Ransomware Alert', The Law Society of British Columbia, 31 January 2014. Available at .
  4. Cunningham, K., 'The New Normal: Cyber Security Insurance', SailPoint, 25 February 2016. Available at .
  5. Definition of 'Cold Backup', TechnoPedia. Available at .
  6. Dimov, D., Juzenaite, R., 'The Most Popular Social Network Phishing Schemes', Infosec Institute, 10 November 2015. Available at /the-most-popular-social-network-phishing-schemes/ .
  7. Gluckman, N., Simmons, C., 'Cravath Admits Breach as Law Firm Hacks Go Public', The American Lawyer, 30 March 2016. Available at .
  8. Hansen, S., 'Cyber Attacks Upend Attorney-Client Privilege', Bloomberg, 19 March 2015. Available at .
  9. Hong, N., Sidel, R., 'Hackers Breach Law Firms, Including Cravath and Weil Gotshal', The Wall Street Journal, 29 March 2016. Available at
  10. 'Incidents of Ransomware on the Rise', The Federal Bureau of Investigation, 29 April 2016. Available at .
  11. Jacob, J., 'Did Bitcoin Lead To Birth Of Ransomware?', The Cointelegraph, 15 April 2016. Available at .
  12. Johnson, R., 'How Our Law Firm Survived a CryptoWall Ransomware Attack', LinkedIn, 23 September 2015. Available at .
  13. 'Law firms held to ransom by cyber criminals', RTE News, 5 June 2016. Available at .
  14. Samburaj, D., 'Melrose Police Pay 1 Bitcoin to Get Rid of Ransomware', CryptocoinsNews, 1 March 2016. Available at .


Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.