Legal firms breached as data sold on dark web markets

February 1st, 2023

The risks associated with cyber extortion engulf every industry as cyberattacks make the headlines daily, and as cybercrime hits pandemic levels, we see a shift to data theft and extortion as criminal gangs grasp the opportunity for huge financial gains; their sights set on industries most likely to fold. The wealth of sensitive and confidential data retained by law firms draws the attention of threat actors, with details on intellectual property, trade secrets, evidence, mergers, and financial information up for grabs. This enticing data offers huge financial reward either through interception of client funds, or extortion and ransom potential, as those most affected by reputational harm and litigation are deemed likely to pay.

Business e-mail compromise and ransomware are substantial risks to the legal sector, with data breaches a likely result in both. And since South Africa’s (SA’s) introduction of the Protection of Personal Information Act 4 of 2013 (POPIA) in July 2020, the risk of litigation and reputational harm is increased, with public and private bodies regulated in the protection of personal information. POPIA imposes statutory penalties for violations of the law with ‘a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment’ for those found negligent.

Noncompliance may not be the overriding financial concern for business in the region as highlighted in the IBM Cost of a Data Breach Report 2022 (, accessed 10-1-2023). The survey found that the average cost to organisations in SA was R 40,2 million per breach, this grew to R 46 million in 2021, and R 49,25 million last year. Eighty-three percent of the organisations studied had experienced more than one data breach, with just 17% claiming this was their first incident. Investigations revealed the initial attack vectors of data breaches were through accidental data loss, cloud misconfiguration, phishing, insider threats, and stolen or compromised credentials.

However, organisations remain unprepared, as highlighted in the American Bar Association 2021 Legal Technology Survey Report (David G Ries ‘2021 Cybersecurity’ (, accessed 10-1-2023)). Twenty-five percent of the respondents reported their law firm had been breached, and yet only 27% reported they had a full security assessment. Further studies as outlined in the global State of Cloud Security 2020, found that 59% of South African breaches were through stolen credentials (Sophos ‘The State of Cloud Security 2020’ (, accessed 10-1-2023)). POPIA requires that in the event of a data breach, businesses inform the Information Regulator, as well as the person or persons whose data has been compromised as soon as reasonably possible. And so, it is crucial that organisations in the region, in particular law firms, have a clear, effective, and robust incident response plan in place.

STORM Guidance has been observing the situation for some time, and while attending to several diverse cyber incidents in the last year or two, noted an overwhelming rise in the extortion of data as the primary leverage against victims. Echoing concerns over data security, we have seen these attacks carried out using various malware or phishing methods, with extracted sensitive information then sold to cyber criminal’s black-market websites. These illegal trading sites, such as Industrial Spy market, now have an expanse of data that is bought and sold at a profit, exploiting stolen personal information for tremendous financial gain. Access to breached databases are supporting a wealth of criminality, with lucrative information such as account credentials, personally identifiable information (PII), credit card details, passports, medical records, National Insurance (NI) numbers, drivers’ licences, and more.

Using a ransomware-style extortion process, breached data is made available to buyers in an auction-style bidding war, and victims are given the details of where they can subscribe, and with any luck, outbid other players. Dark web marketplaces are a breeding ground for government intelligence, detailed voter databases, trade secrets, and critical infrastructure networks, igniting geopolitical concerns in what is now one of the greatest threats to the global economy.

What can organisations do to address data extortion risk?

It is important for law firms to understand that they are not immune to incidents involving a data breach. Basic measures can be taken to improve defences, such as applying multi-factor authentication (MFA), setting up network segmentation, disabling macros so that they are not exploited in phishing e-mails, and ensuring backups are stored offline. And in our continuous efforts to remain one step ahead of cybercriminals, STORM has been working towards solutions to the shift in threat actor behaviour. Our research on the dark web and these illegal trading sites gave us a true insight into the extent of the issue, and this knowledge led to the development of a new dataset analysis tool, providing an additional layer to operational security protocol. There was a clear urgency for a solution to the imminent reality of a data extortion epidemic, and with little out there to support the economy in addressing this threat, innovation was crucial.

Through the immersive investigation of dark web markets and the dedication of STORM’s team of digital forensics investigators and cybersecurity specialists, ‘CyberDiscover’ was created, transforming the cybersecurity market ( The new tool brings a cutting-edge development to security controls, a creation that forms the basis of an organisations data security toolset for a proactive approach to data privacy and protection. The latest development enables organisations to safeguard their sensitive information, limiting the probability of litigation, while minimising the need for human intervention. CyberDiscover intuitively seeks out sensitive information contained within large datasets, for example, filesystems, mailboxes, and other repositories, using an integrated process of data analysis and artificial intelligence. With the addition of a dedicated PII team, automated results are supported with in-depth manual analysis, using specialist skills to dig deeper where needed. Sensitive data is rapidly identified before it falls into the wrong hands, and with findings catalogued into filterable results, the tool assists in painlessly improving the process of data management and protection.

Due to the regulatory requirements of POPIA, businesses must report cyber incidents to the Information Regulator and affected data subjects, and assisting in this process, CyberDiscover can be utilised to act fast in notifying victims. In the unfortunate event of a breach, it rapidly extracts PII from stolen datasets, and incorporates a fully integrated notification tool that enables customised e-mails to send in bulk. Given the current cyber threat landscape, this new solution may well become indispensable.

Industrial Spy market – an inside perspective

STORM investigators noticed the gradual change in the pattern of criminal activity some time ago, and in predicting the shift to data ransom and extortion, initiated research into dark web marketplaces. The phenomenal speed at which the black market accelerated gives testament to the fact that data extortion should now be considered the number one cyber threat to all businesses. To corroborate this claim, this article demonstrates evidence taken from underground networks during our research, exposing screenshots of boundless data, the gravity of its sensitivity, and the enormity of its worth.

Industrial Spy’s homepage can be seen in the image above, reflecting sales tactics and the availability of social media networking.

Exploring the criminal activity in some depth, we paid particular focus to the Industrial Spy market which advertised that it sold data such as ‘public schemes, drawings, technologies, political and military secrets, accounting reports and client’s databases’ to buy or download for free. The site claims to provide data ‘gathered from the largest worldwide companies, conglomerates and concerns with every activity’. Categorised into three sections, the marketplace offers ‘Premium’, ‘General’, and ‘Free’, listing options, each with their own rules. Victims of data extortion are told that their information is available within the ‘Premium’ marketplace, where they will have seven days to buy their data if they are not outbid. If it is bought within the seven-day period, once it is downloaded by the buyer, Industrial Spy claim that it will be completely deleted from their servers. However, if the time is lapsed, the listing will move into the ‘General’ marketplace, where it will be available at a much-reduced premium, to ‘multiple clients’, and it will never be deleted from their servers. In time, this data will then move into the ‘Free’ marketplace where it will be accessible to all.

The images above give an idea of the information available for sale, the gravity of some of this information, and an idea of listing prices.

Trade secrets, manufacturing diagrams, and political and military secrets are among the stock: Some data is sold in the millions. With listings such as ‘$150,000 blackmail method ++ new ++ 2022 clone’, this is the place to go for criminals looking to breach systems themselves, and it seems, where little technical skill is needed.

An example attack method listing that demonstrated the easy gains offered by a career in cybercrime claimed, ‘the method is straight up, to the point, not much experience is needed, just a basic sense of e-mails and usage of the software such as Ghostmailer (spoofs e-mails) and Massive Mailer (mass e-mail sender)’. While investigating, STORM found huge volumes of ‘Fullz’ data available to the next bidder. Fullz is the name used by cybercriminals for ‘full’ data packages containing information such as a person’s name, address, NI number, driver’s license, bank account credentials, and medical records, among other details: In other words, their ‘full information’. Fraudsters use this information to impersonate the victim, using their financial reputation for identity theft and fraud.

The data is normally obtained through corporate and institutional data breaches, with the insurance, legal, commercial, and financial sectors the most common targets due to the sensitivity of the data they hold. The impact of these breaches affects not only the financial reputations and bank balances of the victims, but also the resultant reputational harm, lost revenue, and legal damages caused to the breached organisation.

Will paying ransoms protect stolen data from re-entering dark web markets?

When it comes to the payment of data extortion ransoms, it is suspected that threat actors are not always honouring their assurances of deleting the data after it is returned to its victim. The ease of data re-packaging makes it extremely unlikely that listed data can be traced back to its original breach. With the opportunity of substantial further gains, surely it would be naïve to believe that criminals would not seek to continue to profit from the results of their activities. Evidence to substantiate such a theory would destroy the reputation of the whole data extortion market, but with such anonymity, why would they not trade the data, or a subset of it, in situations where it cannot be originated?

We do, however, have widely publicised reports of threat actors targeting former victims who paid their ransoms. An article by ZDNet unravelled the bitter truths behind the scenes of a ransomware attack, with reports demonstrating that only 54% of victims regained access to data and systems after paying ransom demands, and another third were stung with additional payment demands before they received the decryption key (Danny Palmer ‘Ransomware victims are paying up. But then the gangs are coming back for more’ (, accessed 10-1-2023)).

Unknowingly, subjects of a breach will go about their business as usual, oblivious to the fact an attacker has compromised their systems. Threat actors will lurk inside a network for weeks or months prior to their attack, gaining all the necessary controls and permissions should they wish to return and initiate future attacks. And with no real assurance that payment will give relief, the threat to business reputation and survival is vast, as demonstrated in a further article by ZDNet, where the target gave in to extortion demands, but the BlackMatter group still leaked the data a few weeks later (Danny Palmer ‘This company paid a ransom demand. Hackers leaked its data anyway’ (, accessed 10-1-2023)).

In the Coveware Quarterly Ransomware Report, some ransomware groups were found to leak stolen data after ransoms were paid (Coveware ‘Ransomware Demands continue to rise as Data Exfiltration becomes common, and Maze subdues’ (, accessed 10-1-2023)). In these instances, victims were given fake data as proof of deletion, and others were offered no false pretences when they were re-extorted using the very data they had paid not to be released. Example cases include:

  • Sodinokibi: Victims paid and were re-extorted weeks later with the same data set.
  • Netwalker: Victims paid but the data was posted anyway.
  • Mespinoza: Victims paid but the data was still leaked.
  • Conti: Victims were shown fake files as proof of deletion.

The value of client data held by legal firms further increases the chances of it being leaked regardless of the action taken to prevent this from happening. This puts the sector in very real danger of litigation, however robust their incident response plans may be. Data breaches can result in fines of up to $10 million, and we already know that the clients of law firms are likely to sue if their data is leaked. It is imperative that legal firms identify their sensitive data and improve data management before it falls into the wrong hands. As the likes of Industrial Spy quite rightly quoted: ‘He who owns the information, owns the world’ (Nathan Mayer Rothschild), bringing the true value of CyberDiscover into the spotlight of public interest.

Cybersecurity specialists, STORM Guidance (, welcome enquires from LSSA members looking to know more about CyberDiscover, and how it can help them safeguard their sensitive data. You can read more about the service here:

Rosanna Hayes is Head of Communications at STORM Guidance in London.

This article was first published in De Rebus in 2023 (Jan/Feb) DR 6.