The Allen & Overy Ransomware Incident: What You Need to Know

A ransomware breach hit law firm Allen & Overy in November 2023. Kate O’Flaherty looks into what actually happened and what can be learned from it

At the start of November, Allen & Overy confirmed many firms’ worst nightmare – it had been hacked by the notorious ransomware gang LockBit.

Keen to claim the high-profile breach, LockBit took credit on its darknet website, giving Allen & Overy until November 28 to negotiate. But the listing was removed ahead of the deadline, leading to speculation that the law firm had paid the ransom – a claim unconfirmed by Allen & Overy.

While it has said little about what happened, Allen & Overy claimed the cyber attack impacted a “small number” of storage servers and said that core systems, including email and document management, were unaffected.

Nevertheless, the breach is a warning to firms operating in the sector and beyond. What happened in the Allen & Overy incident, and what can other businesses learn from it? Here are our top takeaways for you to apply to your own company.

Protect your sensitive data

The Allen & Overy breach shows how important protecting sensitive information is. Allen & Overy claimed the attack did not affect core systems, but the compromise of its servers still affected some customers. This suggests the data being ransomed could have been sensitive, says Phil Robinson, principal security consultant at Prism Infosec.

He points to the statement, which says that the immediate response was focused on assessing “exactly what data has been impacted”.

“One would expect this to be a relatively straightforward task, particularly if the data remains intact. Even if it had been encrypted or erased, the organisation should know the nature of data typically stored on affected servers or be able to identify it through backups and snapshots,” Robinson says.

Another question posed is why security controls were applied to some servers and not others, says Robinson. “It’s imperative that personal data is secured across the estate, regardless of location.”

Follow a plan and communicate

Incident response is critical following any cyber attack; part of this means following protocol. From what’s known, it seems Allen & Overy did precisely that during the incident and in the immediate aftermath, says Robert Smith, product manager of cybersecurity at cloud services company M247. “The firm stated they took immediate action to isolate and contain the breach, which is the correct method to follow as it ensured that data in their core systems was not affected.”

“Although the firm confirmed an incident had occurred, they disclosed little information on how attackers could breach their systems” Robert Smith

Additionally, by making the public announcement to confirm an incident had occurred – while assuring clients and associates that forensic work was taking place in the background – it appears the damage was “successfully contained”, Smith says.

Allen & Overy handled post-breach communication well, but its response could be improved, says Philip Ingram, MBE, a former senior British military intelligence officer. He says firms should proactively keep customers and suppliers informed, including as much detail as possible. “This must be timely, proactive and accurate to keep your reputation intact.”

And while communication following the Allen & Overy incident was timely and frequent, the firm didn’t offer much insight into what was impacted. “Although the firm confirmed an incident had occurred, they disclosed little information on how attackers could breach their systems,” says Smith.

Patching: Not a ‘once and done’ activity

We’ve said it before, and we’ll say it again: patching is integral to keeping your business safe. And it’s not a ‘once and done’ activity.

All indicators point to a security vulnerability in Citrix dubbed ‘CitrixBleed’ being used to carry out the Allen & Overy breach. “This allows attackers to get their hands on sensitive data such as session tokens and use these to gain access to the system as a privileged user,” says Sean Wright, head of application security at Featurespace.

He points out that the patch was made available by Citrix in October, with the software giant later warning it was being used in attacks.

Firms need to pay close attention to security advisories from suppliers, says Wright. “Ensuring you have a complete asset inventory of services and products used in your organisation is imperative.”

Time is not on your side, so don’t wait to update your systems. “Make sure you either patch vulnerabilities as soon as possible or implement the appropriate mitigations to protect the service or product,” says Wright.

Know your enemy

When fighting cyber attacks, it’s a good idea to understand who your enemy is. In the case of ransomware, which has its own very complex business model, understanding how adversaries operate can help.

“The agreement is typically that the affiliates will attack in exchange for a cut of the extorted money” Aaron Walton

LockBit consists of administrators who manage the website, extortion and public image, and individual contributors known as “affiliates”, explains Aaron Walton, threat intelligence analyst at Expel.

“The affiliates carry out the cyber intrusion against companies but leave the extortion to the administrators. The agreement is typically that the affiliates will attack in exchange for a cut of the extorted money.”

Walton says that understanding the distributed and multi-tiered nature of ransomware organisations such as LockBit is essential for enterprises to better protect their critical systems and for law enforcement to pursue the criminals. “It means they’re fighting a hydra-like adversary that won’t simply stop if an administrator or a few affiliates are caught.”

LockBit maintains one of the most popular and open affiliate models in the ransomware market, says Keegan Keplinger, senior threat researcher at eSentire’s Threat Response Unit. He says eSentire has seen an uptick in browser-based attacks – which see employees download and detonate malware while browsing the internet – leading to ransomware. “We have found legal firms particularly vulnerable to these threats,” he says.

Know your sector’s weaknesses and address them

It’s also important to know your sector’s weaknesses and address them. The legal industry, for example, is increasingly targeted by hackers, so much so that it was the subject of a warning from the UK’s National Cyber Security Center in June. It’s easy to see why. There are sensitive documents and data that could be used to influence legal cases and large amounts of payments from settled cases, says Smith.

At the same time, many law firms have cut costs or re-allocated budgets to attract new clients, so robust cybersecurity is “not their number one priority”, says Dr Ilia Kolochenko, chief architect at ImmuniWeb and adjunct professor of cybersecurity and cyber law at Capital Technology University.

Learning from the Allen & Overy incident, law firms need to change this: They should allocate a “considerable amount” of profits to cyber defence and cyber resilience, Kolochenko says. “Confidentiality of clients’ data will soon become the key criteria when selecting a law firm.”

Paying is not always the answer

Allen & Overy appeared on the LockBit extortion site on November 8, and the firm acknowledged a “data incident” on November 9. The victim listing disappeared from the LockBit extortion site on November 27, one day before the ransom deadline. Experts say this could indicate that Allen & Overy entered negotiations with LockBit and paid the ransom.

“It isn’t a coincidence that this breach coincides with the firm’s successful merger with Shearman & Sterling” Robert Smith

But paying isn’t always the answer, as it can make you a target again. “Unless you take further steps to secure your systems, be prepared to keep paying,” says Ingram.

Any organisation that falls victim to a ransomware attack must realise “it never pays to pay,” agrees Rick Jones, CEO of DigitalXRAID. “The reality is that paying a ransom provides no assurance of data recovery, and even if retrieved, the compromised information loses its integrity under GDPR.

“This holds significant implications for law firms dealing with the sensitive legal matters of high-value clients, as the compromise of confidential information can irreparably damage reputation and trust.”

The final word: It’s not over after it’s over

How organisations handle a breach really does matter. In the case of Allen & Overy, the firm appears to have chosen to keep as silent as possible while considering its regulatory and ethical obligations.

This tactic could work. While more could emerge about gaps in the firm’s security, for now, it seems that Allen & Overy have been spared the brunt of any reputational damage, says Smith.

However, the law firm isn’t out of the woods just yet. “It isn’t a coincidence that this breach coincides with the firm’s successful merger with Shearman & Sterling,” Smith says.

Indeed, he also points to the fall-out last year after ransomware hit another law firm, Ince Group, which has since ceased trading. “The reputational damage to Allen & Overy might only just be beginning to take shape.”