Cyber security: Ransomware attacks increasingly involve theft
Email-based fraud is on the rise and is the dominant method criminals use to access law firms’ systems, according to the Solicitors Regulation Authority (SRA).
Ransomware was also increasing and evolving – rather than just blocking access to files, criminals were now stealing and threatening to make them public as well.
It also warned that crooks were likely to “find uses” for artificial intelligence (AI) and the “clearest use in the medium term will be making phishing contacts and other false communications more credible”.
Email phishing made up 83% of the reports the regulator received about cybercrime last year.
The SRA said it was “very likely” that many other instances had begun with a phishing email but firms were not certain how their systems had been compromised”.
“This is because email is the easiest and most common type of attack, which provides a means of access for many types of cybercrime.
“We are seeing an increase in email frauds that target a wider range of practice areas, in addition to conveyancing, where firms might be less alert to this threat.
“Another sign of adaptation comes from a report of criminals intercepting and falsifying physical mail between a firm and client to request funds.”
In a Risk Outlook report [1] on information security and cybercrime, the SRA said cyber-security firms were making more use of AI in identifying phishing and malware.
“However, criminals will also find uses for AI. The clearest use in the medium term will be making phishing contacts and other false communications more credible and harder to distinguish from the individual being copied.
“Such AI-assisted attacks have been very expensive to carry out in the past, but they are likely to become cheaper.”
Meanwhile, the SRA said 18 law firms reported ransomware attacks in 2021.
“This is not a large number, but attacks can have very serious impacts on firms. The cases that were reported to us may not give the true picture of the threat, as they represent only those cases where client information was affected.”
The regulator said older types of ransomware simply encrypted data and temporarily interrupted access to it, but newer ransomware stole data as well; threats to release sensitive information were “an additional pressure to get targets to pay the demanded ransom”.
The use of ransomware to steal files was “a growing threat” and file stealing was expected become “a normal part” of how ransomware extorts money.
“Ransomware will continue to increase in sophistication and to use a wider range of methods to influence its targets. It is likely to increasingly become fully automated, attacking any target with suitable weaknesses.
“Most attacks will be random and be because the firm has a weakness that could be detected. However, some might be targeted intentionally. This could be used by unscrupulous parties to damage the operations of a firm that is acting for an opponent in litigation, for example.”
Law firms acting on nationally significant infrastructure projects could be particularly at risk at a time of international tension, along with those representing Ukrainian, Russian or Belarussian clients.
An increasing number of law firms were being affected by attacks on third parties.
“Examples we have seen include a compromised system at an IT service provider, which the criminals used to spread malware to the firm’s customers and an attack on a barristers’ chambers. Both of those spread to multiple solicitors’ firms.”
The SRA said there were many ways a compromised provider could be used to attack a law firm.
“At its simplest, it can mean sending phishing communications from the provider. One of the subtler methods is to modify a software update to deliver malware.”
The regulator added: “The underlying reasons why criminals try to hack legal firms have not changed. And in a legal market that is increasingly dependent on IT systems, criminals have more potential opportunities to attack using that method.”
Paul Philip, chief executive of the SRA, commented: “It is in everyone’s interest that firms take all reasonable steps to protect themselves and their clients, all the more so as innovation and increased use of IT make information security a priority.
“Protection isn’t just about software. Having the right systems in place, such as anti-virus software or multi-factor identification, really matters. But good training and a culture in relation to managing risks is just as important.”
Separately, a survey has found that almost half of the law firms that embraced remote working during the pandemic failed to offer any additional cyber-security training.
Researchers also found that while most lawyers were aware of advice and guidance on cyber-security from the SRA, only a third actually read it.
Menlo Security, a Californian-based cyber security company, commissioned IRN Research to survey of 150 legal professionals in firms with annual turnovers of over £10m.
Lawyers were well aware of the impact of cyber-attacks, but of the three quarters of law firms that embraced remote working during the pandemic, only 45% had put in place additional cyber-security training – 48% did not (the rest were unsure).
Even when firms introduced additional digital services for their clients during the lockdowns, only a minority (47%) coupled this with additional cyber-security training.
Almost two-thirds (64%) of lawyers were aware of guidance and advice from the SRA about cyber security, but only 35% had read it. Awareness of the Law Society’s advice and guidance was lower, at 54%, with only a third (33%) taking time to read it.
Around a quarter of lawyers worked in law firms that had experienced a cyber-attack.
A third reported that the attack closed services for only a few hours. However, 28% said the impact lasted for a day and 13% for up to two days. A small group (5%) said the disruption lasted for longer.
Most lawyers (57%) said their firms had put procedures in place to deal with cyber-attacks.
Phishing emails to law firm clients and phishing or malware on mobiles were seen as the biggest threats to firms, followed by phishing emails to the firms themselves, ransomware and malware on websites.