emailfacebookinstagrammenutwitterweiboyoutube

Ransomware as a service puts law firms in the crosshairs

With their risk-averse tendencies, law firms are increasingly high-profile targets for ever bolder cybercriminals, says Nick Hayne at Quiss.

Nick Hayne, head of professional services|Quiss|

When law firms suffer a security breach, it makes the headlines. Thankfully, the numbers appear low, but is what’s reported the true picture, or just the tip of the iceberg? Is any firm not required by regulations to make a breach public prepared to admit it has been hit and risk the reputational damage?

And there’s the problem. Without complete transparency, how can anyone be sure of the risks and success rates of malicious actors? After all, it’s unlikely cybercriminals will go public with their successes, unless they’re trying to force a ransom from their victim by threatening to release sensitive data.

According to Lindy Cameron, chief of the UK National Cyber Security Centre, things might be about to get even worse, as she recently reported a worrying new trend: “ransomware as a service”. It appears ‘professional’ hackers now offer a variety of ransomware products at a reasonable cost, or for a share of profits from successful attacks.

Non-tech savvy criminals can join the modern crime wave, buying from malicious developers without having to invest time or money in learning the necessary skills. This means more criminals, making more attacks, with more sophisticated ransomware – and that has to be a concern for any organisation connected to the internet. Or with lots of people working from home.

Cameron warned of criminals conducting comprehensive reconnaissance on targets, to identify cybersecurity weaknesses, before launching attacks to access networks and find business-critical data to encrypt and ransom, even reaching the backups that can help mitigate a ransomware attack.

She also warned criminals may even research cyber insurance policies to see if a target is covered to pay ransoms. This chilling thought may explain the increasing popularity of law firms as targets.

Criminals know a good target

Criminals recognise law firms fear not only the financial loss associated with a breach, but the potential reputational damage.

Hackers also know law firms are risk averse and generally insured, at great cost, for every eventuality. So, is it inconceivable to believe that many will have cyber insurance policies, which by their very nature may cover payment to retrieve data?

By attempting to mitigate the impact of an attack, law firms may well be putting themselves in the crosshairs and making themselves targets for criminals who have little to lose and much to gain if they get lucky just once and find a security hole or zero-day vulnerability.

As with most things in life, prevention is better than cure and the same is true for cybersecurity. Don’t wake up tomorrow and wish you had done more when there’s still more you can do now.

LPM Conference 2025

The LPM annual conference is the market-leading event for management leaders in SME law firms

Merger magic

Increasing competition, regulatory and cost pressures have UK SME firms feeling the squeeze — caught between the magic circle juggernauts and more nimble boutique practices, some firms are finding strength in numbers through strategic mergers