When you’re choosing victims as an attacker it’s important to waste as little time as possible. That means picking targets well, which in turn means:
- Easy to compromise
- Lucrative when compromised
It’s a simple formula.
The lucrative component can take multiple forms. Recently we’ve seen massive success with ransomware, where people lose what’s important to them (not to the attacker), and they pay money to get it back.
That obviously works well, but law firms have an even more potent mixture of characteristics.
- They’re easy to hack because they traditionally don’t spend any effort or money on information security
- They aren’t likely to have strong backup and restore capabilities in place
- They will be severely damaged or go under without their records, so you can do traditional ransomware attacks on them
- You can threaten them with notifying all their customers that they are untrustworthy with their sensitive data, which will destroy trust in the firm
- The data itself is potentially valuable to others
It’s the Payoff Trifecta: ransomware, extortion, and data resale.
I think it’s quite logical to expect law firms to become major targets in coming years. They’re simply too attractive to avoid.