Ransomware attacks against Melbourne law firms are increasing. Here's how they work, what the real costs are, and the specific controls that stop them.
Ransomware attacks against Australian professional services firms increased significantly in 2023–2025, and Melbourne law firms are a priority target. The reason is straightforward: law firms hold files that are extremely sensitive (making the threat of publication credible), handle time-critical deadlines (making extended downtime economically damaging), and are often under-protected relative to the value of their data.
IBM’s 2024 Cost of a Data Breach Report puts the global average cost of a ransomware attack at USD $4.91 million, and professional services firms consistently rank among the highest-cost categories. For a Melbourne law firm, a ransomware incident typically costs far more than the ransom itself — the total includes forensic investigation, data recovery or reconstruction, client notification, regulatory reporting, lost billable hours during recovery, and in some cases professional indemnity claims from clients whose matters were affected.
This article explains how ransomware reaches Melbourne law firms, what the attack looks like from inside the firm’s environment, and the specific technical controls that prevent or contain it.
How Ransomware Attacks Actually Start
Understanding the entry vectors helps explain which controls matter most. Ransomware in Melbourne law firms typically enters through one of four mechanisms:
1. Phishing Email with Malicious Attachment or Link
A staff member receives an email with a malicious attachment (disguised as an invoice, court document, or PDF) or a link to a credential-harvesting page. They open the attachment or enter their credentials. The malware executes, or the attacker uses the captured credentials to log in.
This is by far the most common initial entry point for ransomware in Australian professional services. The emails are increasingly sophisticated — AI-generated phishing is producing language that passes superficial review by experienced staff.
2. Compromised Credentials
The attacker obtains a staff member’s password through a prior data breach (hundreds of millions of Australian credentials are available in underground markets) and logs in to Microsoft 365, a VPN, or a remote desktop service. Without MFA, this access is unobstructed.
This vector specifically targets firms where MFA is not enforced — which is still the majority of Melbourne small-to-medium law firms.
3. Unpatched Vulnerabilities
Attackers scan the internet for systems running known-vulnerable software. A law firm with an unpatched VPN appliance, Remote Desktop Protocol exposed to the internet, or outdated Windows Server has a known attack surface that can be exploited without any user interaction at all.
This vector is largely preventable through consistent patching, but many Melbourne law firms have deferred patching on critical systems for operational continuity reasons — and some have systems with no clear owner responsible for updates.
4. Supply Chain Compromise
A managed service provider or software vendor used by the firm is compromised, and the attacker uses that access to pivot into the firm’s environment. This is a more sophisticated attack that represents a smaller proportion of incidents but has produced some of the largest-scale ransomware events in Australia.
What Happens During a Ransomware Attack
Once attackers have initial access, modern ransomware attacks do not immediately encrypt everything. They operate inside the environment for days to weeks before detonating — this period is called “dwell time.”
During dwell time, the attacker:
- Identifies all backup systems and either encrypts or destroys them
- Maps the most valuable data — client files, trust account data, privileged communications
- Exfiltrates a copy of sensitive data for the double extortion threat
- Escalates privileges to obtain domain administrator access
- Positions the ransomware on as many systems as possible
When detonation finally occurs, it is comprehensive — all connected storage, including network shares, mapped drives, and accessible backup volumes, is encrypted simultaneously. If the attacker has done their preparation thoroughly, the firm wakes up with no access to any of their files and a ransom demand on every screen.
The double extortion component means the attackers also threaten to publish the exfiltrated data — client files, trust account records, confidential correspondence — on a dark web leak site unless paid. For a law firm, this threat has particular weight given client confidentiality obligations and potential Privacy Act breach implications.
The Five Controls That Matter Most
1. Endpoint Detection and Response (EDR)
EDR is the single most important control for stopping ransomware that has already entered the environment. Modern EDR products like Sophos Intercept X use behavioural analysis to detect ransomware encryption behaviour in real time and terminate the process before significant damage occurs. Sophos CryptoGuard, for example, detects the pattern of rapid file modification characteristic of ransomware encryption and rolls back any affected files automatically.
Standard antivirus is not equivalent to EDR. It relies on signature matching — detecting threats that have been previously catalogued. Modern ransomware variants are designed to evade signature detection. EDR detects the behaviour, not the specific variant.
EDR must be deployed on all devices — every laptop, desktop, and server. A single unprotected device is a potential starting point for a full network encryption event.
2. Multi-Factor Authentication on All Accounts
MFA prevents credential compromise — the second most common entry vector for ransomware after phishing. Even if a staff member’s password is obtained through phishing or a credential breach, an attacker cannot log in to Microsoft 365, VPN, or remote access without the second factor.
MFA must be enforced via policy (Entra ID Conditional Access), not left as optional. Firms with MFA nominally available but not mandated have significant credential exposure because attackers specifically target accounts where MFA is not active.
3. Tested, Isolated Backup
Backup is the recovery control — if ransomware does encrypt the environment, a clean, isolated backup is the difference between paying the ransom and restoring from backup. The critical requirements:
Isolated: Backup data must not be accessible from the same network that the ransomware can reach. Cloud backup with immutable storage (where objects cannot be modified or deleted for a specified period) is the most resilient architecture for this purpose. A NAS on the local network, even if it requires separate authentication, can often be reached and encrypted during dwell time.
Tested: A backup that has never been restored is a hypothesis, not a recovery capability. Backups must be tested for restore at least annually — ideally quarterly — with documented results. Many Melbourne law firms discover their backup was not working correctly only after a disaster.
Complete: The backup must cover all data that matters — client files, LEAP or Smokeball databases (including SQL components), Microsoft 365 email and SharePoint, and any configuration data needed to rebuild systems.
4. Patch Management and Software Currency
Attackers actively scan for known-vulnerable systems. A VPN appliance with an unpatched critical vulnerability, a Windows Server running without security updates, or a Remote Desktop service exposed to the internet are live targets. Patching eliminates these entry points.
For Melbourne law firms, the patch management discipline required is:
- Critical patches (CVSS 9+) applied within 48 hours
- All other security patches applied within two weeks
- Operating systems on currently supported versions (Windows 10 reaches end of life October 2025)
- All internet-facing systems — VPN, email gateway, remote access — as the highest priority
5. Restrict Administrative Privileges
Ransomware spreads laterally by exploiting administrative access. An attacker who compromises a standard user account can only reach what that account can access. An attacker who compromises an administrator account — or escalates privileges to administrator — can reach everything.
Most Melbourne law firms have staff running as local administrators because it was convenient at setup. This means any piece of malware that executes on those machines immediately has administrator access to install, persist, and spread.
Restricting admin privileges to dedicated admin accounts (used only for administration, never for email or browsing) significantly limits the blast radius of any initial compromise.
Incident Response: What to Do If You Suspect Ransomware
If a Melbourne law firm suspects a ransomware attack is underway — staff see encrypted files, ransom notes appear, systems are inaccessible — the priority actions are:
- Disconnect affected devices from the network immediately — physically unplug network cables, disable Wi-Fi — to stop lateral spread
- Do not turn off servers until you have confirmed whether doing so will impact evidence preservation — some forensic information is in memory
- Call your IT provider immediately — do not attempt to recover files or remove encryption yourself
- Do not pay the ransom without professional advice — payment does not guarantee recovery, may violate sanctions obligations, and does not address the attacker’s exfiltrated copy of your data
- Contact your cyber insurer — if you have cyber insurance, notify them immediately as they typically have incident response services that must be engaged before you incur costs
- Assess Notifiable Data Breach obligations — if client personal data was exfiltrated, you have OAIC notification obligations that need to be assessed
The first 24 hours of a ransomware incident are the most consequential for both recovery and legal obligation management. Having an incident response plan — even a one-page document with the contact numbers — before an incident occurs makes the first 24 hours significantly more manageable.
Where Most Melbourne Law Firms Are Exposed
Based on our experience with Melbourne law firms seeking IT support after security incidents, the most common gaps are:
- No EDR — still running legacy antivirus or unmanaged Windows Defender
- MFA not enforced — available in Microsoft 365 but never mandated through Conditional Access
- Backup on local NAS — accessible from the same network as production, vulnerable during dwell time
- End-of-life or unpatched systems — Windows Server 2016 without patches, Windows 10 machines on the network
None of these gaps are expensive to close. They require configuration, policy deployment, and in some cases product procurement — but the investment is small compared to the recovery cost of a successful ransomware event.
CX IT Services provides ransomware risk assessment and managed security for Melbourne law firms, including EDR deployment, MFA enforcement, and isolated cloud backup. Visit our IT support for law firms hub for the full managed IT picture, or see our cybersecurity for law firms service for the specific ransomware controls we implement. Book a Right Fit Call to discuss your firm’s current exposure.
