Two unnamed Manitoba law firms have been hit by Maze ransomware, locking up not only office computers but also their cloud backups.
“At this point, we do not know when or if they will ever regain complete access to their kidnapped data,” the Law Society of Manitoba said in a statement. Provincial law societies are the legal profession’s regulators.
The firms have been asked to pay “an enormous ransom” to regain access to client legal files. The statement doesn’t say whether they had cyber insurance, which may cover some or all of a ransom. However, that may be the least of the firms’ worries. The Maze group typically quietly infects one computer, then gains network access to find all computers and servers to pinpoint sensitive data. Then it copies and exfiltrates victims’ data before encrypting it. That way it can threaten to release the data to the public if the ransom isn’t paid. Usually Maze gives victims seven days to comply.
The American web site Law.com says Maze released client files of a Texas law firm earlier this year that refused to pay a ransom. Documents included pain diaries from personal injury cases, client fee agreements, health care consent forms and more.
The Manitoba law society said it was notified in the last two weeks of the attacks, which have left the two law firms without access to email, Word, their accounting software, or any of their backups. Documents filed in court wouldn’t be affected, nor would original paper documents held in law firm offices. Both of these would help a law firm re-build its digital files. However, the attack may force lawyers to re-interview witnesses where there are no paper transcripts. Lawyers also wouldn’t be able to access previously scanned and digitized copies of work like affidavits, testimony, statements of claim and statements of defence. Digital copies of documents are vital to law firms because they can be easily searched, saving hours of work.
A Canadian lawyer who asked not to be identified said it’s not uncommon anymore for law firms in this country to be hit by ransomware. “It’s more common today than it was six months ago.” Next to a fire, he agreed, a ransomware attack could be a law firm’s worst nightmare.
“Gone are the days when we work alone on paper,” he said.
Among the problems: Lawyers would lose access to their calendars, meaning they could miss court or regulatory deadlines for filing documents. That could imperil anything from a merger/acquisition to house sales. Fortunately, because of the COVID-19 pandemic, Canadian courts are temporarily closed. (CLARIFICATION: Land registry offices may still be open.)
While law societies across Canada have rules obliging lawyers to protect documents, they typically only suggest best practices for cybersecurity.
In an email, Brett Callow, a British Columbia-based researcher for security firm Emsisoft said the incidents show why IT has to make sure organizations have independent offline backups of data. Network-attached backups can be infected. He also noted ransomware attackers who copy data before encrypting it may not be honourable in keeping their promise to delete what they have stolen in exchange for paying to get decryption keys.
Maze was also responsible for the ransomware attack last December on a Manitoba insurance broker. That led Callow to wonder if data stolen from one company was used to spear phish others, or if the firms shared the same service provider which was hacked.
Law firms are attractive targets because the sensitive client data they hold could mean firms are likely to pay a ransom. According to Law.com, Maze claimed responsibility in February for hitting three law firms in South Dakota