Executive Summary

The INC ransomware group has publicly claimed responsibility for cyberattacks against two law firms in the United States, underscoring the legal sector's vulnerability to extortion. The victims, Hawk Law Group and Eisenberg Lowrance Lundell Lofgren, were both listed on the gang's data leak site. The attackers claim to have exfiltrated a trove of confidential information, including client PII, government-issued IDs, and sensitive details pertaining to active civil and criminal court cases. Such breaches pose a severe threat to attorney-client privilege, the integrity of legal proceedings, and the privacy of the firms' clients.

Threat Overview

• Threat Actor: INC Ransomware Group
• Targets: Hawk Law Group, Eisenberg Lowrance Lundell Lofgren
• Industry: Legal Services
• Attack Type: Ransomware with Data Exfiltration (Double Extortion)

INC Ransomware is a relatively new but active player in the ransomware scene, known for targeting various sectors, including healthcare and education. Their focus on law firms is logical due to the high value and sensitive nature of the data these firms possess. By stealing and threatening to leak case files and client information, the group can exert immense pressure on the victims to pay a ransom to protect their clients' privacy and their own professional reputation.

Technical Analysis

INC ransomware's TTPs often involve exploiting common vulnerabilities for initial access. They are known to leverage compromised RDP credentials and have been linked to the exploitation of vulnerabilities in remote access software.

Common TTPs:

• Initial Access: Stolen RDP credentials or exploitation of public-facing applications.
• Discovery: Use of standard Windows commands and Active Directory reconnaissance tools.
• Lateral Movement: The group has been observed using legitimate remote access tools like AnyDesk or Splashtop, in addition to RDP, to move through the network.
• Impact: The ransomware encrypts files and appends a .inc extension. It also creates a ransom note named [victim]-readme.txt in each encrypted directory.

MITRE ATT&CK Techniques (Probable)

• T1021.001 - Remote Desktop Protocol: A common vector for both initial access and lateral movement.
• T1486 - Data Encrypted for Impact: The primary goal of the ransomware payload.
• T1048 - Exfiltration Over Alternative Protocol: Stealing sensitive client data before encryption.
• T1219 - Remote Access Software: Use of tools like AnyDesk for persistence and C2.

Impact Assessment

The consequences of a ransomware attack on a law firm are particularly severe:

• Breach of Attorney-Client Privilege: The exposure of confidential communications and case strategies can jeopardize legal cases and lead to severe ethical and legal repercussions for the firm.
• Client Risk: Clients whose personal data (IDs, financial records) is stolen are at high risk of identity theft and fraud.
• Regulatory Fines: Law firms are subject to data protection regulations and can face significant fines for failing to protect client data.
• Reputational and Financial Ruin: A significant data breach can destroy a law firm's reputation, leading to loss of clients and potentially the collapse of the practice.

Detection & Response

1. Monitor Remote Access Tools: Log and monitor the installation and use of all remote access software. The unexpected appearance of AnyDesk or Splashtop on a server or workstation should be an immediate red flag. See D3-PA - Process Analysis.
2. RDP Logging: Monitor RDP login events (Success and Failure). Alert on logins from external IP addresses or a high volume of failed logins indicative of a brute-force attack.
3. File Share Auditing: Enable auditing on critical file shares containing client data. Monitor for unusual patterns of high-volume file access from a single account, which could indicate data staging for exfiltration.

Mitigation

1. Secure Remote Access: All remote access, especially RDP, should be secured with MFA and placed behind a VPN. If RDP is not needed, it should be disabled. This is a key implementation of D3-MFA - Multi-factor Authentication.
2. Data Encryption: While it won't prevent exfiltration, encrypting sensitive client data at rest provides an additional layer of protection and can be a mitigating factor in regulatory investigations.
3. Principle of Least Privilege: Ensure that attorneys and staff only have access to the client files they are actively working on. This can limit the scope of data an attacker can access from a single compromised account.
4. Immutable Backups: As with all ransomware attacks, maintaining secure, offline, and immutable backups is critical for recovery.