_{Ian usually just told lawyers to switch it off and switch it on again.}

Allen & Overy has until Tuesday to pay off a gang of cybercriminals or they will release a cache of files stolen from the firm, the hackers have said.

Three weeks ago the LockBit ransomware group announced that it had added the Magic Circle to its long list of victims, which includes Accenture and the Ministry of Defence, and that A&O had until 28 November to pay up.

LockBit originated in countries which belonged to the former Soviet Union and operates as a franchise, providing its software and negotiation framework to affiliates in exchange for a proportion of the ransoms they extort.

Recently the LockBit high table ordered its affiliates to hike the amounts they demand from victims after reportedly being disappointed with the size of ransom payments.

For organisations with revenues upwards of $1 billion, a ransom equating to 0.1% to 3% of the total should be sought, according to a cyberthreat analyst’s report on the gang’s new rates.

That didn’t pan out when an offshoot attempted to extort £66m from Royal Mail. Demands for a sum equivalent to 0.5% of the company’s global revenue faltered when Royal Mail’s negotiator argued that LockBit had actually hacked a loss-making subsidiary of the Plc, Royal Mail International, and that “under no circumstances” would it pay “the absurd amount of money” LockBit had demanded.

On top of which, said Royal Mail’s negotiator, what damage the hack could do had already been done, having triggered a breakdown of the company's ability to make international deliveries.

Allen & Overy’s revenues were £2.1 billion in 2022, which means if the gang is operating in line with LockBit’s edicts, the firm could currently be attempting to argue down a number between £2.1m and £10.5m.

A&O declined to specify how much the criminals were demanding and whether it was engaging with them, referring RollOnFriday to its statement at the time of the attack when it said it had "experienced a data incident impacting a small number of storage servers”.

LockBit’s ransomware can enter a network via phishing, where an employee receives an email requesting access details which appears to have been sent by a benign contact, or via brute force through attacks on servers.

Once inside, the malware self-replicates, simultaneously encrypting files and exfiltrating copies to the LockBit operators.  

Affected files are renamed with an appended file-extension of “.lockbit”, and wallpaper on the impacted network’s computers is replaced with a warning informing the user that their files have been stolen, and inviting them to betray their company and provide more information in return for a cut of the ransom.  

Opening any of the locked files brings up a ransom note which gives directions to LockBit’s ‘Support’ desk to commence negotiations.

A&O's experience may have varied slightly from this, however, as the firm was infiltrated by the updated Lockbit 3.0, aka 'LockBit Black', according to a source.

Allen & Overy said investigations “to date” had found that its core systems, including email and document management system, were unaffected and that it was operating “normally with some disruption arising from steps taken to contain the incident”.

“Detailed cyber forensic work continues to investigate and remediate the incident. As a matter of priority, we are assessing exactly what data has been impacted, and we are informing affected clients", it said.