CASE STUDY
Law firm negotiates over 50% ransom reduction to protect client data
Industry
Legal
Background
Employees: < 150
Coverages: Ransomware, Breach Response
After experiencing a ransomware attack, a law firm attempted to restore their systems from backups on their own. Working with a managed service provider (MSP), they felt like things were under control by the time they contacted Coalition¹ ² — until they learned the threat actor exfiltrated their data and threatened to leak it.
Initially, the law firm was hesitant to investigate the matter but suddenly felt an urgency to pay the ransom and protect their client data. Their Breach Response coverage kicked in, and they selected Coalition Incident Response (CIR)³ to begin the forensics investigation. The threat actor claimed to have stolen more than 100GB of data, but CIR suspected it could be much more.
To determine what data was exfiltrated and which clients would need to be notified, CIR engaged the threat actor and requested evidence of what data it had stolen. CIR ultimately received video confirmation of the threat actor deleting the files —and we determined no additional data beyond the amount they initially claimed was stolen.
Ultimately, CIR negotiated the ransom from six-figures to less than half of the demand, which was covered under the law firm’s policy. The law firm’s policy¹ is expected to cover CIR’s fees, notification costs, data mining, and legal fees.
Coalition¹ brings together active monitoring, incident response, and comprehensive insurance to solve cyber risk. To learn more, visit coalitioninc.com.
2. The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law. 3. Breach response included the engagement of an incident response firm; the insured selected Coalition Incident Response.