Case study August 10, 2021

Cyber claims case study: Law firm leakage

When a law firm employee fails to recognise a malicious attachment, it prompts a full-blown ransomware attack

One of the main drivers of cyber losses is ransomware. Ransomware is a type of malicious software or encryption program that works by encrypting data on a network and then demanding that a ransom be paid in exchange for a decryption key to regain access to the data. Ransomware has wreaked havoc on countless businesses in recent years, and those operating in the legal sector are no exception to this.



A key reason why ransomware has become more problematic recently is due to the growth in data exfiltration and publication. In the past, ransomware would usually just involve hackers infiltrating an organisation’s computer systems, encrypting data and then hoping that the operational disruption caused by this would encourage companies to pay the ransom demand. However, if organisations had back-ups in place (or at least back-ups that weren’t compromised during the course of an attack), they could often look to recover from back-up without paying the ransom demand.

To improve their leverage in ransom negotiations, cybercriminals have now started to exfiltrate data during the course of ransomware attacks, which they can then threaten to publish online. The logic behind this strategy is that even if an organisation has back-ups in place that they can recover from, the potential reputational damage caused by having their data published online may make them more inclined to pay the ransom demand.

One of our policyholders who recently fell victim to a ransomware attack was a small law firm with annual revenues just short of £20 million. The law firm caters to both private individuals and commercial organisations and operates across a wide range of legal practice areas.

Enabled macros opens gateway to attack

The incident began with a phishing email. In this case, one of the law firm’s employees received an email from what they assumed was a trusted contact. The email appeared as part of a pre-existing email chain and came with a Word document attached, with the latest email in the chain simply stating “Please see attached.” As the email appeared to come from a legitimate source, the employee clicked on the attachment.

While attempting to open the attached document, a notification popped up stating that the document in question was created in a previous version of Word, and in order to view the document, the “enable content” button at the top of the document would have to be clicked. Wanting to see what the document contained, the employee clicked the “enable content” button.

By clicking the “enable content” button, the employee enabled macros to run. Macros are a function of the Microsoft Office suite of products, such as Word, Excel and PowerPoint, that can be used to automate common tasks. Although the use of macros can help productivity, they also pose a security risk because cyber criminals can create malicious macros that can be used to automate commands and execute malicious code onto the end user’s computer. In the past, macros used to run automatically by default, but in more recent versions of Microsoft Office, macros have to be enabled by the user before the macros can run. Cybercriminals, therefore have to prompt users to turn on macros before they can carry out malicious attacks using this method.

By enabling macros, it automatically executed a series of commands which resulted in malicious software being downloaded

Unfortunately for the law firm, the document that the employee had clicked on contained malicious macros. By enabling macros, the Word document automatically executed a series of commands which resulted in malicious software being downloaded onto the employee’s computer, allowing the hacker to gain remote access to
the device. The malicious software also signalled basic network information back to the threat actor, such as the company’s domain name, thus allowing the hacker to investigate the organisation and decide whether it was worth infiltrating further.



Back-up not enough to stop hackers

Having established that the law firm made a suitably lucrative target, the threat actor then downloaded a password scraping software from the internet. This allowed the hacker to gain access to every password ever used on the employee’s computer, including the domain administrator account and password originally used to set up the computer. With these credentials at their disposal, the hacker was therefore able to gain higher access privileges across the law firm’s network and launch their encryption software across multiple servers. This resulted in a ransom note for the business, and requesting a payment of £195,000 in bitcoin be made in exchange for the decryption key.

After discovering the ransom note and realising that their computer systems and data were no longer accessible, the law firm notified CFC’s incident response team to determine the next steps. The incident response team’s first priority was to establish the status of the organisation’s back-ups. Fortunately, the law firm had offline back-ups stored on a USB flash drive that it could look to recover from, and the business had largely regained access to its computer systems within a 72- hour period without having to make the ransom payment.

However, this wasn’t the end of the matter. CFC’s incident response team were alert to the fact that the ransomware variant used in the attack had been associated
with data exfiltration in previous attacks. So the next focus was on establishing whether data had been accessed and stolen from the law firm’s systems, with a digital forensics firm being appointed to carry out this task.

This resulted in a ransom note requesting a payment of £195,000 in bitcoin be made in exchange for the decryption key.

Sure enough, a few days after the organisation had recovered from back-up, those responsible for the ransomware attack contacted the law firm, explaining that they had stolen data during the attack and threatened to publish the data on a public file sharing website if the ransom demand was not met within a certain timeframe.


Firm avoids paying ransom

Despite these threats, the law firm ultimately opted not to pay the ransom demand. The decision not to pay was based on a number of different factors. The first factor was the question of the threat actors’ reliability. CFC’s internal threat intelligence team, as well as our third party partners, explained to the law firm that the criminal gang associated with this particular ransomware variant had a history of falling back on promises to delete all of the data they had exfiltrated, with the gang either selling it on the dark web or trying to re-extort victims after they had paid.

The second factor was that as a law firm, regardless of whether the data was released publicly or not, the organisation knew they would have to notify any private individuals at risk of harm, as required by local regulatory requirements, and any commercial customers would be notified out of courtesy. The third factor that influenced the decision not to pay was that the initial findings from the forensic investigation suggested that the data that had been exfiltrated was largely benign, with very little in the way of highly sensitive commercial or personal data having been accessed or stolen.

These three factors convinced the law firm that engaging with the cyber criminals and making the ransom payment would be a largely pointless exercise.


Hackers try one last time

With the law firm deciding not to make the ransom payment, the cyber criminals responded by making good on their threat and publishing the stolen data on a file sharing website. Fortunately, however, our incident response team were alert to this fact. Our team contacted the file sharing website that was hosting the data, requesting that the data be removed and explaining that the data in question had been stolen illegally and that this breached the file sharing service’s own terms of service in respect of publishing third party content without permission.

Thankfully, the file sharing website was receptive to the request and promptly removed the data from the site. The website also noted that the file containing the data had only been downloaded a few times, all of which could be traced to the law firm itself, a third party incident response partner of ours assigned to the case, and the local law enforcement agency that had been notified of the incident.

Although the law firm managed to recover from back-ups and avoided paying the ransom demand, the incident was not without its costs. A forensic investigation of the insured’s computer systems to establish the root cause of the loss and the extent of the data breach cost £27,450, while third party legal assistance to help the insured determine the correct course of action came to £33,705. Thankfully, these costs were all recoverable under the law firm’s cyber policy with CFC.

Regaining control and lessons learnt

This claim highlights a few key points. Firstly, having offline backups is essential. Organisations that keep their back-ups on their own live environments run the risk of these back-ups being deleted or encrypted by cyber criminals during the course of ransomware attacks, which can seriously weaken their leverage in ransom negotiations as well as causing significant disruption to business operations. In this case, the law firm had prudently chosen not to store their back-ups on their live environment, allowing them to recover promptly and avoid any major operational disruption.

Organisations that keep their back-ups on their own live environments run the risk of these back-ups being deleted or encrypted during these ransomware attacks

Secondly, this illustrates the importance of disabling macros, except for those employees who genuinely require them in order to perform their jobs. Macros are valuable tools for automating tasks, but they are also a common way for malicious actors to execute attacks. Although macros are generally disabled by default in more recent versions of Microsoft Office, they can still be enabled by users if prompted. The good news is that macros are often only required by employees who need to make complex calculations as part of their daily work. So companies can completely disable macros for those employees that don’t need it, ensuring that even if an employee clicks to enable them, nothing will happen. In this case, if the employee had not been able to enable macros on the malicious attachment, it’s highly unlikely that the attack would have gone any further.

Finally, this claim illustrates the value of cyber insurance. When you buy a cyber insurance policy, you are not just buying a promise to pay valid claims. You are also paying for a service to advise you when things go wrong. This includes access to a whole range of network partners who are effectively on retainer to the policyholder via their purchasing of a cyber policy, which many small businesses might not otherwise be able to afford.

In this case, our incident response team and network partners were able to offer initial advice in relation to the ransomware variant and the group responsible for it; conduct a forensic investigation to establish the root cause of the incident and determine whether data had been exfiltrated; provide legal advice, and promptly remove the stolen data after it had been published online. All of this provided the law firm with a valuable support network when things went wrong.



To learn more about cyber check out our product page, or get in touch via