How to keep your Chambers safe from ransomware attacks

By Suleyman Salih

In the last 12 months 39% of UK businesses identified a cyber-attack [1]. Threat Actors target computer systems impacting operations, resulting in significant monetary and intangible operational losses. Two high-profile organisations fell victim to a cyber-attack recently making media headlines:

Bar Council and Bar Standards Board

The Bar Council and Bar Standards Board recently suffered a cyber-attack forcing the shutdown of email and other online services to stop the attack, preventing data loss. The bar worked with partners to remove the malware and restore services [2].

Ward Hadaway

Top-100 law firm, Ward Hadaway fell victim to data theft of confidential documents. Threat actors forced Ward Hadaway to pay three million dollars in Bitcoin. Ward Hadaway received an alert indicating that a cyber-attack may be in progress. Later the following day, the unknown hackers confirmed the data theft by emailing the firm’s staff [3].

Cyber-attacks cause a significant impact on the organisations resulting in operational shutdowns, data theft, and extortion. Hackers have found ways to compromise digital assets ranging from on-premises equipment to cloud services.

What is ransomware and extortion tactics?


Ransomware is malicious software used by cybercriminals to lock or steal data. The attack starts with malicious software referred to as a “dropper.” Once infected with a dropper, the malware will begin to download additional malware, including ransomware. The initial infection results from a malicious email, visiting an infected website, compromised credentials, or vulnerabilities in unpatched or misconfigured systems. After a machine is infected, the ransomware has many different nefarious options. For example, spread to other computers or servers, encrypt files rendering systems unusable and steal data. After an attack, the hackers leave a note behind informing the victim, including instructions on restoring encrypted files or getting stolen data returned. Victims often find services such as email, human resources, collaboration, financial systems, legal, and backup systems unusable alongside stolen data.


After a successful cyber-attack, cybercriminals focus on extortion demanding a ransom to restore operations, return data, and prevent further data sale to others. If all fails, threat actors will post sensitive data online, including the tactics used to compromise the victim. Hackers sell a decryption key for encrypted (locked) data and provide a sample of your data decrypted to prove the key works. Of course, there are no guarantees the decryption key will perfectly restore all data. Attackers provide the decryption key upon a successful cryptocurrency payment, and the victims can begin recovering.

Client, partner, and affiliate extortion

The situation for victims becomes worse as cybercriminals explore the stolen data looking for cases and other sensitive or private information related to a victim’s clients, partners, or affiliates. To maximise their efforts, hackers attempt to collect a ransom directly from these other organisations by threatening to release sensitive information.

Guidance for preventing cyberattacks

As the number of cyberattack cases rises within the United Kingdom, the Legal industry, and the increasing severity of ransomware attacks, bodies such as the Law Society and Bar Council have stepped up, releasing guidance on preventing cyberattacks. This is a great start in encouraging members to think about and prioritise cybersecurity, enabling them to take action to prevent cyberattacks.

Why is this guidance not enough?

The guidance questionnaire released by the Law Society and Bar Council is focused only on Chambers central IT systems and services and does not consider independently owned devices. As Barristers are mostly independent practitioners and are commonly utilising their individually owned and managed devices and services, the guidance does not provide enough information on the full extent of IT systems and cyber risk. The challenge in stopping attacks is that the techniques and tactics evolve, becoming increasingly sophisticated.

The guidance supports best practice t frameworks such as Cyber Essentials and ISO27001, more is required to actually detect, contain, and mitigate data breaches. The breach of the Bar Council and Bar Standards Board proves this to be true.

“In today’s world where the threat of increasingly sophisticated cyberattacks for UK legal firms is a very real one, with the additional threat of triple extortion tactics, that could ruin an organisation. The legal sector needs to quickly respond by increasing the level of their cybersecurity. The advice given by IT providers and industry bodies only goes so far and can often offer a false sense of security. This is why it is important to properly review your cybersecurity posture, and partner with cybersecurity experts.” 

 Suleyman Salih
Head of Account Management – CyberClan 

How secure are you?

Just like phishing, missing security patches and incorrect configurations are major causes of data breaches. A cybersecurity assessment, vulnerability assessment, and penetration testing helps identify gaps in your security posture. Gaps can be reviewed and addressed by establishing better protection and an understanding of cybersecurity hygiene.

Proactively protect against ransomware attack

As cyberattacks increase and become more sophisticated, organisations need a process in place to be protected. There are many attack vectors threat actors use that lead to a breach, including:

  • Phishing email
  • Malicious email attachment
  • Compromised websites
  • Lack of security patches
  • Misconfigurations
  • Training

It is important, as Cybersecurity Specialists, that we understand an organisation’s current cybersecurity posture to help address any gaps, monitor activity, detect anomalies, respond to an incident, and recover.

Countering compromised websites – Managed Endpoint Detection and Response

There are two high-level ways threat actors use websites. The first method is called a “drive-by” or “fileless” malware that runs as a script and never has a need to transfer a file to the victim’s computer. An endpoint detection and response (EDR) tool will stop this kind of attack before it has a chance to execute on a computer. There are also tools called Secure Web Gateways (SWG) used to evaluate websites and block users from visiting dangerous sites.

Hackers are aware of how secure web gateways work and developed a method named “watering hole attack.” Threat actors are aware that organisation create allow lists to ensure a secure web gateway does not block traffic between partner companies. Hackers know about these lists and will intentionally compromise a partner website, knowing it will bypass secure web gateway filters. This is one reason an EDR solution can be more effective.

Protection beyond the endpoint – Managed Detection and Response (MDR)

Endpoint detection and response is a reactive solution. The goal of organisations is to become more proactive. Managed detection and response (MDR) provides analytics around network devices and cloud services correlating logs and applying user and entity behaviour analytics (UEBA). Monitoring UEBA baselines behaviours and any events outside the expected behaviour triggers a notification. MDR provides advance notification indicating a company may be under attack improving an organisation’s cybersecurity hygiene.

Stopping phishing – Managed Advanced email security.

Phishing is a form of social engineering threat actors use to trick an email recipient into clicking on a malicious link or attachment within an email message. Phishing remains one of the top causes of a breach. There are tools such as Advanced Email Security that protect organisations against phishing and malware and the accidental dissemination of sensitive data with data leakage prevention features. In addition, it can identify a malicious link in an email and stop a user from accidentally clicking it.

Tie it all together – Extended Detection and Response (XDR)

We’ve concluded a high-level overview of how to protect Chambers from ransomware. The addition of these services requires resources, training, and experience to manage and respond to the threats faced every day. EDR, MDR, and Advanced Email Security can be integrated with a Security Operations Center (SOC) consisting of cybersecurity experts monitoring a Chamber’s digital assets 24 hours a day, 365 days per year.

No Obligation Consultation

If you have any questions and wish to arrange a free no obligations consultation of your cybersecurity for your legal organisation, please get in touch with our experts by filling in the form below.




Knowledge Base

Ransomware: Pay or Don’t Pay? A Guideline for Ethical Decision-Making

In February 2021, CD Projekt Red revealed that it had been the victim of a ransomware attack. However, the company made no ran...

Read More +

5 Challenges Uninsured Businesses Face while Obtaining Insurance After a Cyber Breach

In 2022, the FBI’s Internet Crime Complaint Center (IC3) received 800, 944 reported cybersecurity complaints, with losses ex...

Read More +

Clop Ransomware Group specifically targets Healthcare Industry in Data Breaches

The IBM 2022 cost of data breach report revealed that the healthcare industry suffered losses of $10.1 million per data breach....

Read More +
CyberClan CyberClan CyberClan CyberClan