Warning to law firms: a ransomware group is stealing data and posting it online

Five law firms have been hit by a notorious ransomware group known as Maze – three within the last 72 hours alone. It is highly likely Maze will target more law firms in the days and weeks ahead. While only U.S. firms have so been hit, firms in other countries are equally at risk.

In staying true to Maze’s typical modus operandi, the cybergang didn’t simply encrypt the law firms’ data – they also stole it.

Maze – the same group responsible for the attacks on the City of Pensacola, Allied Universal, Southwire and many others – typically uses exfiltrated data as added leverage in ransomware attacks. Maze initially names its victims and, if that is not sufficient to extract payment, publishes a small portion of their data online. This simply serves as proof that they have the data and is the equivalent of a kidnapper sending a pinky finger. Should the ransom still not be paid, Maze’s posts the remainder of the data on its websites, sometimes on a staggered basis. Previously, Maze has also published stolen data in a Russian hacker forum with a note stating to “Use this information in any nefarious ways that you want.” 

In regard to the recent attacks, Maze has already posted a portion of least two of the firms’ stolen data, which includes client information.  

There are significant implications for ransomware attacks with data exfiltration capabilities:  

• The threat of publicly posting stolen data may encourage victims to pay the ransom, which may make ransomware more profitable and incentivize further attacks. 

• Attacks that steal data are considered to be data breaches which, under U.S. law, are treated very differently to malware infections. Organizations affected by data breaches are required to notify government regulators and affected users, and may face legal action from aggrieved customers. 

While Maze claims that the stolen data will be deleted upon payment, it would be a mistake to assume that that this will be done. Why would a criminal enterprise delete data that it may be able to further monetize?

Attack vector believed to be malicious email attachments  

We believe malicious email attachments were used to infect the networks of the affected law firms. Ransomware can be delivered in a variety of formats, including PDF, ZIP, Word document, Excel spreadsheet and more. Opening a malicious attachment may deploy the ransomware immediately, or it may enable attackers to remotely execute the ransomware in the future. 

While the exact nature of the emails is still unknown, it’s likely that the attachments were delivered via phishing emails. Phishing is a very common attack vector in which threat actors pretend to be a legitimate entity in order to elicit an action from the target. Phishing attacks can be very sophisticated. In some cases, threat actors may use professionally designed websites, spoofed email addresses and the logos and contact information of real companies to add to the illusion of legitimacy and encourage the recipient to open a malicious attachment.  

Security advice for law firms 

It is highly likely Maze will target more law firms in the days that follow. Given that the latest round of attacks are a form of social engineering that rely on deceiving employees, one of the most effective forms of defense involves training staff to identify email-based attacks.  

Below is some useful security advice for law firms: 

• Exercise extreme caution when processing email: as noted above, we believe the attack vector to be malicious email attachments.
• Train staff to be cautious: Encourage employees across every level of the firm to think before they click. Staff should be very cautious of opening attachments in unsolicited emails and always hover over links before clicking to check the URL leads to a legitimate website. If staff are unsure of the legitimacy of an email, they should verify with the sender using a non-email form of communication.  
• Remote access solutions: remote access solutions should be patched and protected with 2FA/MFA (firms that use the services of an MSP or MSSP should ensure that their remote access solutions are patched and protected with 2FA/MFA).
• Avoid enabling macros: Firms should seek guidance from the IT team before enabling macros. While macros are an effective way to automate common tasks in Microsoft Office, attackers can also use this functionality to deliver ransomware and other forms of malware.  
• Be wary of urgent language: Many phishing attacks rely on convincing the recipient of the email to click on a link or open an attachment. Staff should be wary of emails that are written using unusually pushy or urgent language.  
• Verify the sender’s address: Attackers commonly use domain name and display name spoofing to obscure the sender’s true address. Staff should take the time to always check that the display name matches the mailto address. In addition,  firms should employ a combination of authentication technologies such as Sender Policy Framework, DomainKeys Identified Mail and Domain-based Message Authentication Reporting and Conformance. 

Conclusion 

The recent Maze ransomware attacks on law firms are a harsh reminder for organizations to remain vigilant and strengthen cybersecurity practices. Given that Maze ransomware may be distributed via email, it’s important that law firms encourage staff to be cautious when clicking on links and attachments, and always verify requests that seem suspicious.