Law firms hit with average ransom demand of $2.5 million

Since 2018, 138 legal firms across the globe have publicly confirmed ransomware attacks on their systems, impacting at least 2.9 million records. 2023 saw the highest number of attacks (45) and records affected (1.6 million) so far.

A growing number of ransomware gangs use double-extortion tactics by stealing data and encrypting systems. The legal sector is an increasingly attractive target for cybercriminals. With troves of sensitive data, hackers can shore up their chances of securing payment by threatening to put solicitors’ clients’ data on the dark web if their ransom demands aren’t met.

The legal sector has faced astronomical ransom demands in recent years. The average ransom demand following an attack on a legal firm is $2.47 million, but the average ransom paid is lower at $1.65 million.

Many organizations remain tight-lipped on the details of such attacks. Our in-depth research into ransomware attacks on legal organizations attempts to estimate the true cost of ransomware attacks on law firms. Using data from our worldwide ransomware tracker, we look at the increasing threat of ransomware on legal firms and its consequences. We only include publicly-confirmed attacks, so our figures only scratch the surface.

Key findings:

From the beginning of 2018 to June 2024, our research found:

  • 138 individual ransomware attacks on legal organizations with peaks in 2023 (45) and 2021 (44)
  • 2,907,031 individual records were impacted in these attacks–at least. 2023 accounts for more than half of this figure with 1.56 million records affected in total– an increase of 615 percent from 218,473 records in 2022
  • Ransom demands varied from $30,000 to $21 million
  • The average ransom demand on legal entities is just under $2.5 million
  • Black Basta conducted the highest number of attacks in recent years with three attacks so far for 2024 and 10 attacks in 2023. LockBit carried out nine attacks in 2023 while ALPHV/BlackCat and Darkside dominated in 2022 and 2021, respectively

Legal firms face an average ransom demand of $2.5 million

Ransom amounts demanded by hackers varied dramatically. Our research uncovered ransoms from $30,000 (paid by Parisien law firm Cabinet Remy Le Bonnois to Everest in 2021) up to $21 million (demanded by REvil after its attack on Grubman Shire Meiselas & Sacks–detailed below).

Unfortunately, information on ransom demands remains limited as many companies don’t disclose the figure and are even less likely to disclose if they’ve paid a ransom.

The top 5 biggest ransom demands on law firms

We found ransom figures in 11 confirmed cases with the five largest being:

  1. Grubman Shire Meiselas & Sacks, US – $21 million: After being hit by REvil ransomware in May 2020, New York firm, Grubman Shire Meiselas & Sacks, received a $21 million ransom demand from the gang. This was later upped to $42 million when the gang realized whose data was among that stolen (Donald Trump). The firm refused to pay.
  2. Ward Hadaway, UK – $3 million: After Lorenz ransomware gang targeted the UK law firm in March 2022, a $3 million ransom was demanded. It threatened to post the data online and double the ransom demand to $6 million if these demands weren’t met. The firm successfully secured an injunction against its attackers preventing them from leaking the data. How successful this was against anonymous hackers, however, is debatable.
  3. Shook Lin & Bok, Singapore – $1.4 million: Shook Lin & Bok reportedly negotiated the $1.4 million ransom demand with Akira ransomware in April 2024 after it started at $2 million. This likely aided the company’s quick restoration of systems, which took less than 24 hours.
  4. UnitedLex, UK – $600,000: After its March 2023 attack, UnitedLex is said to have negotiated with Donut ransomware hackers before refusing to pay the $600,000, which, a Donut spokesperson said, was significantly lower than the company’s insurance limit.
  5. Guyer y Regules, Uruguay – $300,000: LockBit demanded $300,000 from the Montevideo-based firm in August 2023. While the firm never confirmed whether or not it paid the ransom, many reports suggest it did.

Based on the figures we do have available, we know:

  • Ransom demanded (known cases):
    • 2024 (to June) – $1.4 million (1 case)
    • 2023 – $1.5 million (6 cases)
    • 2022 – $3 million (1 case)
    • 2021 – $234,000 (2 cases)
    • 2020 – $21 million (1 case)
    • 2018/2019 – N/A
  • Ransoms paid
    • 2024 (to June) – 1
    • 2023 – 4
    • 2022 – 0
    • 2021 – 3
    • 2018-2020 – N/A

While data is limited, you can see that the number of ransoms known to have been paid hasn’t declined in recent years, nor have the monetary amounts involved. We’re also far more likely to know if a ransom hasn’t been paid (due to the publication of the company on a gang’s data leak site or the company disclosing this themselves), than if they have paid.

Although the legality of paying a ransom is heavily debated, it is often the quickest way for companies to restore their systems and limit the impact of a data breach. Preventing companies from paying ransoms may help to ward off hackers to some extent but it is only part of the potential solution.

For example, the UK’s Cyber Security and Resilience Bill could enforce mandatory reporting of ransomware attacks. Making sure companies are reporting attacks will help raise awareness and knowledge of these attacks and will perhaps reduce the ‘taboo’ that so often surrounds the word ransomware. It would also ensure anyone whose data has been impacted in a ransomware attack is aware of this from the offset.

The top 5 biggest ransomware attacks on legal companies based on records affected

As we have already noted, data theft is at the heart of many ransomware attacks. And with such sensitive data on offer at legal firms, it’s often this that’s the most lucrative target for would-be hackers.

Below are the top 5 most affected legal companies for the number of records affected, all of which are based in the United States:

  1. Orrick, Herrington & Sutcliffe, Feb 2023 – 637,620 records affected: After being hit with a ransomware attack, the unknown group stole client files with names, addresses, DOBs, and SSNs. The legal firm was hit with a $8 million lawsuit after it failed to secure its systems and detect the breach in a timely manner.
  2. Bricker and Eckler, Jan 2021 – 430,185 records affected: The firm detected a ransomware incident on January 31, 2021, but discovered that hackers had access to client files from January 14, 2021. As well as names, SSNs, and driver’s license numbers, hackers also accessed medical and/or education-related information. The firm agreed to a $1.95 million data breach settlement.
  3. Houser, LLP, May 2023 – 370,001 records affected: ALPHV/BlackCat group claimed responsibility for the cyber attack on Houser, LLP that took place in May 2023. This resulted in 1.5TB of data being compromised, including sensitive data such as tax identification numbers, financial account details, and medical information. A class action for this breach is still underway in court.
  4. Greylock McKinnon Associates Inc., May 2023 – 341,650 records affected: Unknown threat actors targeted the company in May 2023, stealing a variety of data including medicare information. While Greylock detected the attack in May 2023 it didn’t notify those affected until February 2024. The company currently faces a class action lawsuit that alleges it failed to safeguard its clients’ data.
  5. Warner Norcross + Judd LLP, June 2021 – 255,160 records affected: LockBit ransomware group claimed responsibility for the June 2021 ransomware attack which affected the personal health information of over 250,000 people. A class action was also filed in this case, which Warner Norcross appealed late last year.

Interestingly, all five of these breaches were followed by class action lawsuits. Our recent study examined lawsuits following ransomware attacks. It found 12 percent of ransomware attacks on legal firms resulted in a lawsuit. 75 percent of these were successful–or 100% if you counted voluntary dismissals (which may have been settled out of court).

As we have already emphasized, law firms often have access to highly sensitive data and often about clients whose data would be of interest to many. The Grubman Shire Meiselas & Sacksen was a prime example.

In France, the Cabinet Remy Le Bonnois placed an alleged accomplice of the Everest ransomware group on trial after 13 million documents, including certain confidential documents and some relating to the Charlie Hebdo case, were added to its dark web site for $30,000 in May 2021. The accomplice, who had tried to help secure Everest a ransom under the guise of being a ‘white hacker’ was arrested and indicted for the crime.

Law firms will often use their legal prowess to try and deter ransomware attackers. UK firm Ward Hadaway issued its hackers with an injunction after its attack in 2022. Australian firm, HWL Ebsworth Lawyers, attempted to do the same after ALPHV/BlackCat targeted its systems in April 2023. This hasn’t stopped HWL Ebsworth from being investigated by Australia’s privacy watchdog, however. After 1.1TB of data was lost to the hackers, including that of 65 government agency clients, the firm’s ‘​​personal information handling practices’ are in question.

Ultimately, even though injunctions may apply some pressure to hackers, ransomware gangs and their affiliates often remain anonymous. And even when they are brought to justice, the restitution for affected companies can be limited. This was the case for Canadian firm, Robson Carpenter, LLP, which received just $2,500 after a NetWalker affiliate was ordered to pay restitution to eight of his victims.

The biggest years for ransomware attacks on the legal sector

Since our reporting began in 2018, we have seen two spikes in ransomware attacks on legal firms. One in 2021 (which coincides with the pandemic and a peak in ransomware attacks in general) and one in 2023. Last year was a record-breaking year for ransomware attacks across many sectors and this was no less true for legal firms. As we have seen, over half of the records breached in ransomware attacks since 2018 came from attacks in 2023.

If we look at when these attacks are taking place, we can see there’s often a surge in attacks toward the beginning and end of the year. While we can’t say exactly what may be causing these spikes, it’s interesting that they coincide with the end/start of tax years in many countries. Legal firms, especially those within the commercial sector, will likely experience higher workloads and tighter deadlines during this time, as well as the pressure of finalizing their own budgets.

Our research suggests ransom payments may also be more likely during these times. Out of the six legal organizations that confirmed paying a ransom, five of them made payments between January and April. Are firms more inclined to pay ransoms earlier in the year to avoid delays?

Please note: a higher number of attacks in a particular country doesn’t necessarily indicate that they are more targeted by ransomware groups. Rather, reporting of such attacks in these countries may be more widely available. This is especially the case with the US and its data breach notification laws.

The true cost of ransomware attacks on legal firms

As well as the cost of potentially paying a ransom and/or the consequences of a data breach, such as a lawsuit, downtime can also have a huge impact on these companies. While we only found 11 cases of noted downtime on law firms, the downtime noted by these companies ranged from hours to four weeks with an average of 11 days.

In some cases, the effects of such downtime can be catastrophic. In March 2022, London-based The Ince Group was hit with a LockBit ransomware attack. The firm spent £5 million ($6.5M USD) restoring its systems before it filed for administration in April 2023 after failing to raise enough funds to cover the costs of the cyber attack and other shortfalls.

With a 2017 estimate placing the average cost per minute of downtime at $8,662 (across 20 different industries), this suggests costs could have been as high as $18.8 billion for the 138 attacks we have listed.

Law firms remain a key target for ransomware groups in 2024

So far this year, Comparitech researchers recorded 11 publicly-confirmed ransomware attacks on the legal sector around the world, affecting over 7,000 records. We’ve witnessed a similar downward trend across most industries this year so far.

The confirmed $1.4 million payment to Akira from Shook Lin & Bok in April 2024, plus 94 unconfirmed attacks on the legal sector this year so far, show the threat on this industry remains high. As we have seen, it’s often the sensitive data held by lawyers that makes them a key target for hackers.

Methodology

Using the database from our ransomware attack map, our research found 138 legal ransomware attacks in total. From this data we were able to determine ransom amounts, whether or not ransoms were paid, and the downtime caused.

Our data focuses on confirmed ransomware attacks only.

Data researcher: Charlotte Bond