Why Legal Clients Should Never Pay Ransoms

Why Legal Clients Should Never Pay Ransoms

Cybersecurity has quickly become one of the legal sector’s foremost concerns. In particular, ransomware attacks can pose a major threat to clients due to the sensitive information that is necessarily retained during business.

Lawrence Perret-Hall, director at CYFOR Secure, discusses the importance of refusing to pay up in the event of a ransomware attack and how a combined, proactive cybersecurity strategy removes the temptation to pay.

The National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) recently issued a joint letter urging the legal profession to stop advising clients to pay ransom demands following a ransomware attack. The letter emphasised how paying ransoms exacerbates the broader ransomware threat, incentivising further cyberattacks and failing to guarantee the return of stolen data.

To avoid the temptation of paying up, legal firms have a role to play in translating the value of proactive cybersecurity solutions to their clients and emphasising the critical need for multiple security controls to help prevent cyberattacks and minimise business disruption in the event of a successful breach. As stated by Paul Philip, Chief Executive of the Solicitors Regulation Authority, “It is in everyone’s interest that firms take all reasonable steps to protect themselves and their clients, all the more so as innovation and increased use of IT make information security a priority.”

While there is no one ‘silver bullet’ to complete cybersecurity protection for firms and clients, there are a number of security solutions that can be hugely effective when implemented in tandem.

To Pay or Not to Pay?

Ransomware is a type of malware which prevents a user from accessing their device and the data stored on it, usually by encrypting its files. The criminal group who deployed it then demands a ransom in exchange for decryption. The NCSC’s CEO has called it the “biggest online threat to the UK”, while new research from Microsoft has revealed a rise in ransomware-as-a-service (RaaS) attacks. This is particularly concerning as RaaS essentially democratises ransomware and enables criminals with little to zero technical know-how to launch malware. In this cyber climate, any business, small or large, across all industries, is at risk of a devastating data breach.

What is crucial to iterate is that paying ransom demands following an attack does not ensure the safe return of stolen data, nor does it constitute a positive resolution of an incident. Any data stolen by cybercriminals is compromised whether a ransom is paid or not – and if an organisation were to restore their system from local backups stored on the same infected network, they would run the risk of becoming re-infected with malware.

Paying up also has the added effect of incentivising ransomware gangs, who are increasingly targeting small- and medium-sized businesses. SMEs have become low-hanging fruit for bad actors, willing to pay relatively small ransoms, which can prove just as lucrative as ransomware attacks on larger organisations for hackers in the long-run. The temptation to pay up can be stronger for smaller enterprises that have fewer resources in-house to monitor their environments for threats and mitigate against potential breaches.

What is crucial to iterate is that paying ransom demands following an attack does not ensure the safe return of stolen data, nor does it constitute a positive resolution of an incident.

This is paired with the growing sophistication of cybercriminals, who are deploying more targeted and timely attacks. These include ransomware attacks deployed during a quiet period, e.g. bank holidays or weekends when fewer IT and security staff are working, or malware delivered via an especially deceptive phishing email that includes personal data harvested online.

Paying ransom demands should therefore not be an option for the clients of legal firms – small or large – but what exactly should businesses be doing to avoid the temptation to pay up and better protect their networks?

A Proactive, Combined Cybersecurity Solution

In the event of an attack, backups – or, rather, a suite of backups – form a critical part of an organisation’s proactive cybersecurity strategy. Specifically, businesses need a blend of smaller, incremental, more frequent backups for business restoration in conjunction with full backups stored on a separate encrypted network, as well as long-term backups stored on tape.

Although this may sound excessive, a backups suite such as this can help clients restore their data quickly and safely in the event of a ransomware attack. In doing so, they avoid the common recurring issue of restoring infected backups and reinfecting the network with malware. And for businesses operating with tighter cybersecurity budgets, a comprehensive suite of backups proves far more cost-effective than falling victim to ransomware and paying up to try and regain stolen, compromised data.

Backups should also form part of a wider overall response in the event of a cyber incident. Proactively implementing a strong incident response plan is critical when reacting to an event, such as a ransomware attack, to help meet an organisation’s recovery time goals and minimise business disruption.

However, none of this is possible if an organisation’s board does not recognise the severity of the ransomware attack and allow IT teams to begin the process of remediation. Once the business leaders recognise the risk, it is then about understanding exactly what has happened and reviewing logs to analyse the vulnerability and the source of the breach. Without logs, incident response becomes far more difficult – an issue also exacerbated if an organisation is not working with an experienced cybersecurity partner.

Proactively implementing a strong incident response plan is critical when reacting to an event.

Collaborating with cyber professionals who have expertise in developing detailed incident response playbooks can be crucial to effective and speedy remediation. If not, it can take up to four weeks to get an organisation back up and running. This is not viable for customer-facing businesses and is the reason why more enterprises are turning to third-party security partners for support.

Working With the Experts

All organisations should be prioritising cybersecurity from the start. Proactively implementing a blend of security controls and solutions such as backup strategies, incident response plans and business continuity playbooks offers strong and varied protection against the consequences of a ransomware attack.

However, to get all of this right is no small task – especially without support. Law firms can therefore advise their clients to invest in a retainer with a trusted security partner. Retainers can be customised and designed bespoke to tailor security controls and solutions to individual business needs when not required to cover the cost of responding to an incident. For example, they can include proactive measures such as vulnerability scanning and dark web monitoring to identify the most critical areas of risk, uncover weak spots and discover if data has already been unknowingly stolen and is being sold by bad actors.

Furthermore, taking on a regular and smaller cost of a retainer, which can be budgeted for in advance, ensures far better ROI compared to a purely reactive approach to a ransomware attack – especially when considering IBM’s Cost of a Data Breach report revealed ransomware attacks in 2022 cost organisations £3.8 million on average.

Looking Ahead

In the current threatscape, where cyberattacks and ransomware are an inevitability for the clients of law firms, it is simply dangerous to pay up. Legal professionals play a significant advisory role on such matters. It is therefore critical they can translate the benefits of proactive cybersecurity to their clients.

Indeed, having a varied and comprehensive proactive cybersecurity strategy with incident response, backups and retainers at its core is vital to ensuring downtime is kept to a minimum and business operations face minimal disruption. Working with a security partner to achieve this not only offers one of the best ways to bolster cyber resilience and reduce the severity of a cyberattack; it ensures ROI on cyber investment.


Lawrence Perret-Hall, Director

CYFOR Secure

Tel: +44 03301 358542

E: contact@cyforsecure.co.uk


Lawrence Perret-Hall is director of CYFOR Secure and leader of its commercial department. His primary responsibilities involve advising clients on the management of digital evidence, such as the application of eDiscovery technology and forensic techniques. A qualified project manager, Lawrence has also provided expert consultancy on numerous high-profile, complex and multi-jurisdictional forensic investigations.

CYFOR Secure is CYFOR’s dedicated cybersecurity division, specialising in digital forensics, incident response and a broad range of other proactive and reactive IT security services. The company supplies SMEs and large corporations internationally, with clients across the legal, healthcare, engineering, manufacturing, finance and telecom sectors.

Leave A Reply