From juggling client deadlines to managing casework, it’s easy to overlook hidden cyber risks lurking in your systems. Forgotten user accounts and patchable vulnerabilities to third-party software, you never know where the next cyberattack might come from.
This edition of our newsletter breaks down three often-ignored threats and what your firm can do to address them now before attackers do.
Law Firms Targeted in New Wave of Silent Ransom Group Attacks
A rising cyber extortion threat is zeroing in on law firms and it’s not the usual ransomware playbook.
The FBI has issued a warning that the Silent Ransom Group (SRG), also known by aliases like Luna Moth and UNC3753, has made law firms one of its primary targets in a highly personalized phishing campaign.
A Deceptively Simple Playbook With Costly Consequences
Since 2022, SRG has been refining an attack method that doesn’t rely on malware or traditional exploits. Instead, it begins with something far more familiar—a phone call or phishing email.
These communications appear to be from well-known service providers or the victim’s internal IT department, claiming there’s a minor billing or account issue that needs urgent attention.
Once trust is established, the attacker convinces the target to download remote access software. From there, they quietly enter the firm’s network, elevate their privileges, and extract sensitive client or case data, often without setting off any alarms.
Two months ago, the group reportedly shifted tactics entirely to direct phone-based social engineering, posing as internal IT support and instructing staff to install or join remote access sessions.
The attackers then exfiltrate data overnight, often using legitimate file transfer tools like WinSCP or Rclone.
Once they’ve secured valuable files, SRG sends out ransom demands.
If a law firm refuses to pay, the group threatens to publish the stolen data on their leak site.
In some cases, they’ve even called firm employees directly to apply pressure, a tactic that combines psychological manipulation with legal and reputational risk.
Hard to Trace, Easy to Miss
What makes SRG particularly dangerous is its ability to operate with minimal digital footprints. Because the group leverages legitimate tools (rather than malware), traditional antivirus and endpoint detection systems often fail to flag the breach.
Most compromised firms don’t realize what’s happened until data is already gone or worse, published.
What Law Firms Should Do Right Now
To mitigate the risk of SRG or similar attacks, law firms should:
- Train all employees on social engineering and phishing red flags, especially those involving IT impersonation or “urgent” account issues.
- Establish protocols requiring identity verification before anyone, whether internal or external, can request remote access or software installation.
- Implement endpoint monitoring that tracks installation and use of remote access tools.
- Deploy MFA (multi-factor authentication) across all systems.
- Backup critical data regularly and store it offline or in a secure cloud environment.
- Log and monitor file transfer tools like WinSCP and Rclone for unusual activity.
Vulnerability Management for Law Firms
When it comes to cybersecurity in law firms, most conversations center around ransomware, phishing, and data breaches.
But underneath it all is one essential and often overlooked pillar: vulnerability management (VM). Without it, your defenses are just guesswork.
In a legal environment, where your clients’ confidential information is at stake and attackers are increasingly targeting firms, VM is a critical risk management function.
Why Vulnerability Management Matters More Than Ever
Law firms, no matter their size, deal with sensitive data daily. That makes you a high-value target and the attackers know it.
As your infrastructure grows, whether it’s in-office desktops, cloud storage, hybrid work setups, or third-party legal tech platforms, your attack surface expands. And with it, the risks.
Vulnerability Management (VM) helps identify, prioritize, and fix the weaknesses in your digital environment before they’re exploited.
But not all VM tools are created equal.
What Does “Enterprise-Grade” Vulnerability Management Look Like for Law Firms?
Basic vulnerability scanners only scratch the surface.
A true enterprise-grade VM solution is built for dynamic, complex environments like those found in today’s law offices. It gives your IT or MSP team the context they need to make informed decisions fast.
An effective VM platform should offer:
- Scanning across all devices: workstations, servers, cloud storage, even mobile and remote endpoints
- Tailored reporting for different departments (HR, litigation, finance, etc.)
- Real-time tracking of vulnerabilities—even as assets move or change
- Easy integration with your existing tools, like SIEM or helpdesk platforms
- Fast deployment, low learning curve, and simple ongoing maintenance
Why Risk-Based Vulnerability Management Is Essential
Every IT system has vulnerabilities. The real question is, which ones actually pose a risk to your firm right now?
A risk-based VM system goes beyond detection. It helps you:
- Gauge how likely it is that a vulnerability will be exploited in the real world
- Understand the potential impact on your law office’s confidentiality, integrity, and availability (the CIA triad)
- Prioritize fixes based on threat intelligence, severity ratings, and business context
This kind of insight is invaluable for attorneys and managing partners looking to quantify cyber risk and prioritize cybersecurity investments.
Key Features to Look for in a Law Firm-Ready VM Platform
Intuitive Interface
Your staff doesn’t have time for complicated dashboards. A user-friendly interface ensures your IT support can identify and resolve vulnerabilities quickly even when understaffed.
Historical Data
Need to show regulators or clients that you took action?
A solid VM tool provides historical logs of what was vulnerable, when it was discovered, and how you addressed it.
Automated & On-Demand Scanning
Monthly scans are a good baseline, but the best systems also allow instant scans after system changes or patch deployments.
Accurate Results with Fewer False Positives
False alarms waste time. Look for platforms that offer smart correlation of vulnerabilities with real-world exploit data, so you can focus on what really matters.
Strong Data Management
You should be able to filter, tag, sort, and report on vulnerabilities in any way you need, whether for internal review or compliance reporting.
API & Tool Integration
VM tools that integrate with your broader cybersecurity stack (like SIEM, SOAR, ticketing systems, etc.) allow for automated follow-up and remediation tracking.
With threat actors like the Silent Ransom Group targeting the legal industry, a basic scan-and-patch approach won’t cut it. You need visibility, prioritization, and the tools to act, backed by automation and threat intelligence.
Dormant Accounts: The Hidden Risk Lurking in Your Law Firm’s Digital Footprint
Think back for a moment: how many online accounts have you created over the years?
Email logins. Legal research tools. Cloud storage. That one software demo you tested for five minutes and never used again.
Now ask yourself: how many of those accounts are still out there, unused and forgotten?
The reality is, every law firm, no matter how big or small, has some degree of account sprawl. And while these dormant accounts may seem harmless, they can quietly open the door to serious cybersecurity risks.
If left unchecked, they could become the weakest link in your security chain.
Why Dormant Accounts Are a Real Threat to Law Firms
From personal services to professional platforms, the more accounts your team creates, the larger your digital footprint becomes.
Over time, accounts fall into disuse but they rarely disappear on their own. These forgotten logins become low-hanging fruit for cybercriminals looking to gain access through the path of least resistance.
Here’s why:
- Old passwords are often weak, reused, or exposed in past data breaches.
- Two-factor authentication (2FA) is rarely enabled on dormant accounts.
- Outdated access privileges may still exist, even for former employees.
Hackers love these accounts because they’re quiet, unmonitored, and often overlooked by security teams.
Common Attack Methods Used on Dormant Accounts
- Infostealer malware: These programs harvest stored credentials from infected devices. One report found 3.2 billion passwords were stolen in a single year, with the majority coming from infostealers.
- Credential stuffing: If you’ve reused a password elsewhere, attackers may plug it into dozens of platforms automatically to see what works.
- Brute-force attacks: Simple or guessable passwords can be cracked with trial-and-error tools.
- Phishing campaigns: Once hackers gain access to an old account, they may send fake messages to your contacts or even impersonate your law firm.
Real-World Consequences of Inactive Accounts
Dormant accounts have been the starting point for some high-profile attacks:
- The Colonial Pipeline ransomware attack that disrupted fuel delivery across the U.S. in 2021? It started with a deactivated VPN account that was never fully secured.
- A 2020 ransomware incident in London was traced back to a weak password on an unused admin account.
In a legal environment where confidentiality and data integrity are paramount, one forgotten login could give threat actors access to sensitive client files, internal communications, or even financial systems.
If an attacker gains access to an abandoned account, they might:
- Send scam emails under your firm’s name.
- Access client data, internal files, or saved billing information.
- Use the account to move laterally across your network.
- Sell the credentials or access point on the dark web.
In some cases, attackers may not even use the account right away. They might sit on it, wait, and watch. That’s what makes dormant accounts so dangerous: they’re invisible until it’s too late.
It’s Time to Clean House
Taking control of inactive accounts is a necessary part of maintaining client trust and reducing risk.
Here’s how to start:
1. Perform an Account Audit
- Search inboxes for terms like “welcome,” “verify your account,” or “free trial.”
- Review password managers or saved browser credentials for unused accounts.
- Check for accounts tied to former employees or third-party vendors.
2. Close What You Don’t Use
If the account is no longer needed:
- Log in and request deletion.
- Wipe any personal or firm-related data stored in the account.
- Double-check the provider’s deletion policies. Some keep data unless you specifically request removal.
3. Secure What You Keep
For accounts you still need:
- Change passwords to something strong and unique.
- Enable multi-factor authentication (MFA). This is non-negotiable for anything holding sensitive data.
- Regularly review access levels. If a user doesn’t need admin privileges, you should remove them right away.
4. Monitor Dormant Accounts With Automation
Use centralized tools or IAM (Identity and Access Management) solutions to:
- Flag unused accounts after 30, 60, or 90 days.
- Deactivate accounts automatically if no activity is detected.
- Set alerts for logins from unusual locations or at odd times.
Whether it’s cleaning up unused accounts, tightening vendor oversight, or upgrading how you handle vulnerabilities, a little action now can save you from a lot of damage later.
Want help securing your weakest links?
Contact Infoguard Cybersecurity for a cybersecurity readiness review tailored to your law firm.
Learn more about our services.
Best regards,
