Law firms’ growing dependence on IT systems is creating more opportunities for cyber criminals, the Solicitors Regulation Authority has warned, with ransomware attacks increasingly targeting sensitive client information in order to extort money.

Ransomware can simply lock firms out of their IT systems, which will particularly affect fully remote firms, but is more regularly being used by criminals to steal information and threatening to publish it – which the SRA predicts will become ‘a normal part of how ransomware extorts money’.

The regulator said in a risk outlook report published today that firms reported 18 ransomware attacks in 2021, but conceded that figure ‘may not give the true picture of the threat, as they represent only those cases where client information was affected’.

Already this year, top-100 firm Ward Hadaway has been subject to attempted blackmail for up to $6m (£4.75m) in bitcoin after confidential documents were obtained in a cyber attack. Listed firm Ince was similarly targeted, with both firms going to the High Court to obtain urgent injunctions.

The SRA said: ‘We expect that file stealing will become a normal part of how ransomware extorts money. Ransomware will continue to increase in sophistication and to use a wider range of methods to influence its targets. It is likely to increasingly become fully automated, attacking any target with suitable weaknesses. Most attacks will be random and be because the firm has a weakness that could be detected. However, some might be targeted intentionally.’

The regulator suggested attacks could be directed by ‘unscrupulous parties to damage the operations of a firm that is acting for an opponent in litigation’ or even target firms which have been ‘identified as acting for Ukrainian, Russian or Belarussian clients’.

‘There have been reports of cyber attacks [being] used as a deniable weapon and solicitors’ firms might be seen, rightly or wrongly, as a less secure target than some of their clients,’ the report added.

More than four-fifths (83%) of cyber crimes reported to the regulator in 2021 involved emails, including phishing attacks and email modification frauds, the SRA said.

Conveyancing remains a regular target due to the large amounts of money involved, but the regulator said criminals are ‘broadening their attacks’ to other fields where firms might be ‘less alert’ to threats and some are even ‘intercepting and falsifying physical mail between a firm and client to request funds’.

The SRA said compromised third parties or IT providers can also affect firms, noting that attacks last year on a service provider and a barristers’ chambers both ‘spread to multiple solicitors’ firms’.

It warned firms may be targeted in the future by criminals using ‘voice-modification software in calls to impersonate a solicitor’ or artificial intelligence to make ‘phishing contacts and other false communications more credible and harder to distinguish from the individual being copied’.

‘Cybercriminals are also likely to make increasing efforts to attack smart contract systems,’ the report said. ‘A system that automatically transfers money in response to defined trigger events will always be of interest to attackers. ‘Many of these are based on blockchain systems that are, theoretically, verifiable.

‘This means that they should be more secure against some frauds than traditional arrangements. However, the fact that a contract’s interpretation and enforcement are handled remotely on an IT system rather than personally by the parties creates chances to attack, even if those attacks have a low probability of succeeding. We can expect to see reports of attempted attacks emerging.’

The SRA recommended that firms need to ensure their cyber security is as strong as possible, including by using simple measures like choosing strong passwords backed up by multi-factor authentication and by trying to insulate themselves against attacks on commercial partners.

But it also emphasised the importance of the right training and culture to effectively protect against cyber attacks, saying that ‘the firms at most risk are those with cultures that do not encourage staff to come forward with problems’.

The report stated: ‘Firms can go a long way towards preventing the most frequent types of attacks by encouraging staff to report breaches immediately and by building a no-blame culture. The tone set by senior staff is a crucial factor in this.’

SRA chief executive Paul Philip said: ‘It is in everyone’s interest that firms take all reasonable steps to protect themselves and their clients, all the more so as innovation and increased use of IT make information security a priority.

‘Protection isn’t just about software. Having the right systems in place, such as anti-virus software or multi-factor identification, really matters. But good training and a culture in relation to managing risks is just as important.’