BP Perspective Insights from a Business Partner

How to Spot the Early Signs of a Ransomware Attack — and Take Action

Ransomware will cost the economy $20 billion in 2021 — and the legal industry is not immune from this threat. In fact, lawyers, legal staff, law firms and court systems are rich targets for cybercriminals because they are trusted with a significant amount of sensitive data.

Brad Paubel

People may think there are no signs that a ransomware attack is imminent until it is too late, but that’s not the case. Here are some of the early signals that lawyers and staff can watch for to help prevent an attack.


Ransomware attacks happen when a bad actor, a cybersecurity adversary interested in attacking information, phishes — in other words, tricks someone in an organization into clicking on a link or downloading a file that then installs a virus on their computer. It can involve hundreds of attempts against any users on a given network. The frightening part is only one attempt needs to work for the attack to be successful. Once downloaded, the malware will start to encrypt all the files on that individual’s computer — and then move on to any connected system.

Users will eventually receive a ransom demand asking for payment of a certain amount of money — usually in bitcoin or another untraceable cryptocurrency — to decrypt the data. Previously, paying the ransom would solve the problem. More recently, however, bad actors have taken payments and unlocked files but kept the data for sale on the so-called dark web. (They are, after all, criminals.) This outcome is another reason why spotting the early signs of a ransomware attack in the first place is so important.


These are the common warning signs of an imminent ransomware attack that a firm should educate lawyers and staff to watch for:

  • An increase in phishing attempts: If a firm’s employees start noticing a significant uptick in spam emails, that could be a sign bad actors are looking for ways to plant malware. Since it only takes one person clicking on a bad link or mistakenly downloading a virus-laden file to potentially infect an entire network, any increase in phishing attempts should immediately set off alarm bells.
  • Unauthorized access alerts: A firm’s network administrator may see an increase in unauthorized access attempt notifications. Individuals could also receive emails letting them know someone has tried to reset their passwords. These attempts at your network access could indicate a ransomware attack is underway.
“Previously, paying the ransom would solve the problem. More recently, however, bad actors have taken payments but unlocked files and kept the data for sale on the so-called dark web.” 
  • Virus protection alerts: If a bad actor is trying to place malware on someone’s computer, any installed virus protection software may raise an alert and block the program from running. Having up-to-date antivirus software is an excellent idea as it provides the first line of defense.
  • Scrambled file names or contents: When malware encrypts the data on a computer, it will often scramble the names of files or make it so these files cannot be opened. If a user is looking at their drive and notices their usual file names have been replaced with unrecognizable gibberish, that could be the early stage of a ransomware hack.
  • Computers locking up: Malware can interfere with a computer’s operating software, and that will cause performance issues, including system freezes. If these start to happen out of nowhere, ransomware could be the culprit.
Skip to content


Everyone in a law firm should be trained to recognize the early signs of a ransomware attack. There are tools available that will send fake phishing emails to simulate a ransomware attack, test for vulnerabilities and provide valuable information to use in adapting training efforts around common pitfalls.

Any initial sign of a ransomware attack should prompt a user to immediately disconnect from the law firm’s IT network by removing both hardwired (LAN) connections and Wi-Fi access. Once it’s completely disconnected from any other system, the computer can be assessed for possible damage. There are services that will do this, but if cost is an issue, software is also available. However, any trace of the malware must be found and removed, or it will just spread again.

In addition to training staff and lawyers on how to recognize a ransomware attack and what to do if they suspect it’s happening, a firm should regularly back up all its data — preferably to the cloud or an off-site location. That way, if there is an attack, a clean backup is available to reinstall once every trace of malware is removed from the on-site systems. Cloud backup services also regularly scan data for known malware and other viruses, and this acts as a stopgap to any measures a firm has in place.


Ransomware attacks against law firms are only going to increase. Sooner or later, a phishing attempt will sneak in. That’s why everyone should know to watch for the early signs of an infection and how to respond to mitigate potential damage.