Five U.S. law firms — three in the last 24 hours — have been among the companies and organizations targeted by a new round of ransomware attacks. In two of the cases, a portion of the firms’ stolen data has already been posted online, including client information.
This according to Brett Callow, a threat analyst with Emsisoft, a cybersecurity company that is also an associate partner in the No More Ransom Project, an initiative between multiple law enforcement agencies and the private sector.
Hackers have stolen data from at least five law firms, using the threat of releasing the data to extort payment from the firms, Callow said. In the two cases in which hackers already posted law firm data, they published it on the clear web where it can be viewed by anybody.
The hackers are using the so-called Maze ransomware, which was the subject of a warning issued to companies earlier this month by the FBI. Earlier this week, Ars Technica reported that victims of the Maze ransomware attacks have included a grocery chain, a CPA firm, and a college.
The hackers infiltrate systems using email with malicious attachments, Callow said. He does not know the exact nature of the emails being used against law firms, but he assumes they are being crafted in such a way that lawyers are likely to open them.
Their modus operandi is to initially name the companies they’ve hit on their website and, if that doesn’t convince the companies to pay, to publish a small of the amount of their data as “proofs.”
“This makes sense,” Callow said. “The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published. It’s the equivalent of a kidnapper sending a pinky finger.”
If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis, he said.
The group has also published data in Russian hacker forums with a note to “Use this information in any nefarious ways that you want,” Callow said.
Once a company does pay, then its name is removed from Maze’s website.
If any reader has more information on the nature of the emails being used, please let me know and I’ll update this post.