top of page

Understanding the Threat of Ransomware in the Legal Sector

The UK legal sector faces increasing online threats, and legal firms make highly attractive targets for cyber criminals. Not only are they making large financial transactions on behalf of their clients, but they are responsible for handling highly sensitive information. If accessed, this information could be used for insider trading, gaining power in negotiations, or subverting the court of justice.

The success of any legal firm relies on delivering a highly efficient service and upholding a professional reputation, making them perfect targets for extortion. The price of paying a ransom can be dwarfed by the price of being unable to work, and the disastrous reputational hit of a data breach provides a motive for the ransom to be paid.

a statue of lady justice

Why do criminals target law firms?

Although the primary threat to the UK legal sector is financially motivated cyber criminals, it is important to note that there are various other motivations behind targeting the legal sector.

According to the NCSC’s June 2023 Legal Sector Cyber Threat Report; nation states including Russia, Iran, North Korea and China, have been identified as using criminal actors for state ends. This could be to further their own political agenda, to disrupt those working on issues they disagree with, or intellectual property theft. Those most at risk are firms advising sensitive clients, or working in locations that are hostile to the UK. Major law firms are particularly exposed because they may be part of the wider supply chains used by nation states.

‘Hacktivists’ will also target the legal sector for committing cybercrimes. These are hackers motivated by a specific cause, and the NCSC has observed growth in these communities targeting law firms. Firms most at risk are those working with organisations that are at odds with the hacktivists political, economic or ideological agenda.

In 2020, ransomware infected and subsequently shut down several IT systems belonging to the criminal law firm ‘Tuckers Solicitors LLP’. Data concerning 60 court cases, including cases that were ongoing, was taken and published on the dark web. Consequently, the firm was fined just shy of £100,000 by the ICO for ‘negligent security practices’, which included leaving vulnerabilities unpatched for months and failing to employ multi-factor-authentication (MFA) on key systems.

What is ransomware?

Ransomware is a type of malware that prevents you from accessing your device and its data, usually through encrypting your files. Criminal groups demand a ransom in exchange for unlocking the data.

Attackers will gain access to your network and plant malicious software. This access may come through criminals exploiting security holes, or through phishing emails, using calculated social engineering to trick employees into opening malicious attachments or allowing administrative access. Once activated, devices will be locked and data across the network encrypted. Users will then receive a notification from the criminal, explaining the ransom and how it can be paid to regain access.

an example of a ransomware notice

How can my organisation protect itself?

There are various measures legal firms can take to prevent malware from being delivered and spread. These can include mail filtering, intercepting proxies, internet security gateways and safe browsing lists within web browsers. Multi-factor authentication (MFA) should be enabled for all remoted access points into the network and Remote Desktop Protocol (RDP) should be disabled if it is not needed. All devices and user permissions should be regularly reviewed, and security updates should be installed as soon as they are available. You can also consider whether antivirus or anti-malware products are necessary.

Companies of any size should plan for an attack even if you think it is unlikely. Make sure any important files are regularly backed up, offline and in a different location. Make multiple copies of files using different backup solutions and do not keep the devices that contain your backups (e.g., hard drives and USB sticks) permanently connected to your network. Develop a ransomware strategy and determine how you will react in the case of an attack, considering who to inform, how you will do this and how you would respond to a ransom demand.

The topic of malware prevention can be confusing for a non-technical audience, so it is important to try and educate staff on what they should do to protect themselves. The National Cyber Security Centre has an easily digestible guide on Mitigating Malware and Ransomware Attacks detailing every prevention method.

For small businesses, the NCSC’s Small Business Guide is essential reading for improving your cyber resilience.

If you have already been infected: The NCSC's guide details 9 steps to implement immediately that may help limit the impact.

How can we help you?

By joining the Eastern Cyber Resilience Centre as a free member, you will be enrolled on our ‘Little Steps’ programme, which gives you bite-sized steps to take every week that will massively improve the cyber resilience of your business. Additionally, our website offers free support tools and guidance that is sector-specific.

The Law Society and the Bar Council jointly produced a questionnaire to help legal firms understand information security arrangements and check that the centralised IT systems maintained by chambers are compliant with this. This questionnaire can be accessed via our website here.

Here at the ECRC, we have also made our own document detailing cyber resilience considerations for the legal sector, which explains everything using non-technical language and contains a checklist you can use. This document can be downloaded using this link or accessed via our website here.

The NCSC offers a Funded Cyber Essentials Programme, for micro and small businesses operating in vulnerable sectors. If your business does not qualify, you could consider getting your Cyber Essentials Certification through one of our Cyber Essentials Partners.

Finally, the ECRC also offers very affordable support services, and access to approved consulting and training organisations that can help you protect and prepare for ransomware without breaking the bank.

If you would like to know more about what we can do for you at the ECRC, why not book a chat with us today?

the Eastern Cyber Resilience Centre logo

Reporting a live cyber-attack 24/7:

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.

Reporting a cyber-attack which isn’t ongoing:

Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.

Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page