DMS Law Ransomware Attack: When Client Data Is Encrypted and the ICO Comes Calling
DMS Law, a UK-based solicitors firm, suffered a ransomware attack that encrypted client data and caused significant operational disruption. The incident followed a pattern that has become depressingly familiar across the UK legal sector: inadequate backup arrangements, no tested incident response plan, and insufficient technical controls to detect or contain the attack before it achieved full encryption. The aftermath — dealing with the ICO, the SRA, affected clients, and insurers simultaneously — is precisely what every UK law firm should prepare for before ransomware arrives.
Ransomware attacks on UK law firms increased by over 50% between 2021 and 2023, with small and mid-size practices the most frequent victims.
The Attack Pattern: How Ransomware Typically Enters a Law Firm
The DMS Law attack followed the entry and escalation pattern seen in the majority of law firm ransomware incidents:
- Initial access via a phishing email or exposed remote access system — the two most common entry points
- Attacker establishes persistence on the compromised machine and begins quiet reconnaissance
- Lateral movement across the firm's network using harvested credentials — often over days or weeks
- Data exfiltration: files copied out before encryption for double-extortion leverage
- Ransomware deployment: encryption of all accessible systems simultaneously during off-hours
- Ransom demand: accompanied by samples of exfiltrated files and a deadline
The Backup Problem
The most operationally damaging aspect of ransomware for law firms without adequate backups is the complete loss of access to client matter files. When backups are inadequate — either not taken, not tested, or stored in locations accessible to the ransomware — firms face a binary choice: pay the ransom or attempt to rebuild from whatever fragments exist. Neither is a good position to be in the middle of live client matters, completions, hearings, or court deadlines. Backup requirements for law firms must satisfy three conditions: immutability (backups that ransomware cannot encrypt), offline or air-gapped storage, and tested restoration — verified within the last six months.
Regulatory Consequences: SRA, ICO, and Insurer Notifications
Following a ransomware attack that affects client data, UK law firms face a mandatory notification sequence that runs concurrently with the technical response:
- ICO notification within 72 hours of becoming aware that a personal data breach has occurred — even if investigation is incomplete
- SRA notification if client confidentiality, client money, or the firm's ability to practise is affected
- Professional indemnity insurer: most policies require immediate notification of circumstances that might give rise to a claim
- Affected clients: under GDPR Article 34, where a breach is likely to result in high risk to individuals, those individuals must be notified without undue delay
- Law Society: for significant incidents affecting public confidence in the profession
Recovery: What Good Looks Like
Firms that recover well from ransomware attacks share common characteristics: clean, tested backups that allow restoration to a known-good state; an incident response plan that was rehearsed before the attack; cyber insurance that provides access to specialist incident response support; and proactive communication with the ICO, SRA, and affected clients. Firms that struggle are those attempting to manage the technical response, the regulatory notifications, the client communications, and the business recovery simultaneously without a plan or specialist support.
Frequently Asked Questions
How long does it take to recover from a ransomware attack as a law firm?
Recovery time varies enormously depending on backup quality, system complexity, and the scope of compromise. Firms with clean, tested offline backups and a rehearsed incident response plan can restore core operations within 24–72 hours. Firms without adequate backups can face weeks or months of disruption — and may never fully recover all historical matter files. The investment in backup infrastructure is measured in hours of recovery time when the incident occurs.
Should we pay the ransom?
The NCSC and NCA recommend against payment. Paying provides no guarantee of decryption, funds criminal operations, and may breach UK sanctions regulations if the attacker is a sanctioned entity. However, this is a decision that must involve your cyber insurer, legal advisers, and incident response team — not IT alone. In practice, firms with adequate offline backups rarely face a genuine dilemma, which is why backup integrity is the single most important resilience control.
Does cyber insurance cover ransomware attacks?
Most cyber insurance policies cover ransomware response costs including: incident response specialist fees, forensic investigation, ransom negotiation (not necessarily payment), system restoration, legal costs of ICO and SRA notifications, and client notification costs. Some policies also cover ransom payment and business interruption losses. Policy terms vary significantly — review your policy carefully and consider specialist broking advice to ensure ransomware coverage is adequate.
Build ransomware resilience before the attack — speak to us
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.