Warning to law firms: a ransomware group is stealing data and posting it online

Warning to law firms: a ransomware group is stealing data and posting it online

Five law firms have been hit by a notorious ransomware group known as Maze – three within the last 72 hours alone. It is highly likely Maze will target more law firms in the days and weeks ahead. While only U.S. firms have so been hit, firms in other countries are equally at risk.

In staying true to Maze’s typical modus operandi, the cybergang didn’t simply encrypt the law firms’ data – they also stole it.

Maze – the same group responsible for the attacks on the City of Pensacola, Allied Universal, Southwire and many others – typically uses exfiltrated data as added leverage in ransomware attacks. Maze initially names its victims and, if that is not sufficient to extract payment, publishes a small portion of their data online. This simply serves as proof that they have the data and is the equivalent of a kidnapper sending a pinky finger. Should the ransom still not be paid, Maze’s posts the remainder of the data on its websites, sometimes on a staggered basis. Previously, Maze has also published stolen data in a Russian hacker forum with a note stating to “Use this information in any nefarious ways that you want.” 

In regard to the recent attacks, Maze has already posted a portion of least two of the firms’ stolen data, which includes client information.  

There are significant implications for ransomware attacks with data exfiltration capabilities:  

While Maze claims that the stolen data will be deleted upon payment, it would be a mistake to assume that that this will be done. Why would a criminal enterprise delete data that it may be able to further monetize?

Attack vector believed to be malicious email attachments  

We believe malicious email attachments were used to infect the networks of the affected law firms. Ransomware can be delivered in a variety of formats, including PDF, ZIP, Word document, Excel spreadsheet and more. Opening a malicious attachment may deploy the ransomware immediately, or it may enable attackers to remotely execute the ransomware in the future. 

While the exact nature of the emails is still unknown, it’s likely that the attachments were delivered via phishing emails. Phishing is a very common attack vector in which threat actors pretend to be a legitimate entity in order to elicit an action from the target. Phishing attacks can be very sophisticated. In some cases, threat actors may use professionally designed websites, spoofed email addresses and the logos and contact information of real companies to add to the illusion of legitimacy and encourage the recipient to open a malicious attachment.  

Security advice for law firms 

It is highly likely Maze will target more law firms in the days that follow. Given that the latest round of attacks are a form of social engineering that rely on deceiving employees, one of the most effective forms of defense involves training staff to identify email-based attacks.  

Below is some useful security advice for law firms: 


The recent Maze ransomware attacks on law firms are a harsh reminder for organizations to remain vigilant and strengthen cybersecurity practices. Given that Maze ransomware may be distributed via email, it’s important that law firms encourage staff to be cautious when clicking on links and attachments, and always verify requests that seem suspicious. 

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next