The large US law firm Weil Gotshal & Manges, reporting more than $2 billion in annual revenue, paid a $20 million ransom to the Silent Ransom Group. The group had stolen confidential client data from an external cloud storage site earlier in the year. The FBI had previously issued a private industry alert warning that this group specifically targeted US law firms in extortion campaigns.
Overall ransom payment rates have fallen dramatically. Many companies now refuse to pay, issue a press release, spin the incident, and offer free credit monitoring. Attackers therefore shifted focus to organizations that cannot easily absorb public disclosure of stolen data.
High-end law firms fit this profile perfectly. Public release of client data would cause severe reputational damage and trigger waves of fiduciary-duty lawsuits from current and former clients. A $20 million payment represents only about 1% of the firm’s yearly revenue and was judged preferable to certain disclosure.
The criminals care solely about the money. They know victims will only pay if they believe payment will result in deletion of the stolen data. Steve notes this is a classic “bargain with the devil,” but given the alternatives it was an understandable bet.