How to Protect Against Ransomware Attacks?

Posted by Bill Gallivan | Mon, Jun 22, 2020

Cybercrime continues to cast a large shadow across the legal community, especially when it comes to ransomware. Within a single 24-hour period alone, three law firms were targets of such cybercriminal exploits, resulting in stolen data and the potential for sensitive information to be posted in public forums.

Ransomware is one of the most pressing cybersecurity issues facing the legal field today. Law firms are attractive targets for data thieves and other malicious actors because the information stored in their databases is so valuable. Firms cannot afford to let discovery documents, legal briefs, and other information be distributed to the public at large.

Take the proper precautions to protect your firm against ransomware attacks and safeguard both your data and your client’s documents. 

What is a Ransomware Attack?

A ransomware attack occurs when a malicious actor deploys ransomware on a victim's system. Upon infection, the ransomware encrypts the victim's files, making them inaccessible. The attacker then demands a ransom payment in exchange for the decryption key.

Ransomware attacks have been on the rise in recent years, with cybercriminals targeting individuals, businesses, and even government organizations. These attacks can have devastating consequences, causing data loss, financial damage, and reputational harm. In some cases, victims may be left with no choice but to pay the ransom to regain access to their files.

A ransomware attack goes beyond simply stealing files and documents, encrypting data, and preventing the owner from accessing it. The perpetrators then demand a large ransom to be paid in exchange for the encryption key. Because encryption is so difficult to crack - virtually impossible with a modern cipher - victims are left with no choice but to pay the ransom.

Of course, there’s no guarantee the attackers will hold up their end of the bargain. Once they realize the victim is willing to pay the ransom, they may turn around and ask for even more money. They may simply take the money and run, leaving the data encrypted and inaccessible.

How Does Ransomware Work?

Ransomware Malware AttackOnce ransomware infiltrates a system, it seeks out files to encrypt. It uses encryption algorithms to lock the files, rendering them inaccessible without the decryption key. The attacker then displays a ransom note, instructing the victim on how to make the payment and receive the decryption key.

How Ransomware Spreads?

Ransomware can be propagated via several channels making it a particularly menacing threat to law firms. Knowing these vectors is essential for developing a comprehensive defense strategy and saving from ransomware cyber attacks:

  • Phishing Emails: The most common way ransomware is delivered is through phishing, where cybercriminals create convincing emails that look like they are from trusted sources. These emails usually contain harmful links or attachments that, when clicked or opened, can infect the victim's computer with ransomware.
  • Exploiting Software Vulnerabilities: The Achilles' Heel of Cybersecurity Attackers constantly scan for unpatched systems, targeting known vulnerabilities in operating systems and web services (i.e.:post 80). This underscores the critical importance of maintaining up-to-date web services and applying security patches promptly.

The Ransomware Attack Process

Understanding the lifecycle of a ransomware attack can help law firms better prepare their defenses and response strategies:

Infection: This is the initial stage of a ransomware attack which often occurs via phishing emails, malicious downloads, exploiting vulnerabilities in software, and many more. The attackers use such vectors to deliver ransomware payload onto the target system. Once the malicious file is downloaded and executed, it begins the process of infecting the system.

Execution: After the system is infected, the ransomware code activates. At this point, the malware usually tries to disable security features and any interfering software. It may also attempt to establish itself in a way that ensures it remains active even after a system reboot. Additionally, the malware might initiate communication with the attacker's command and control server to receive additional instructions.

Encryption: Once the ransomware is successfully executed, it starts the encryption phase. The malware scans the system for files and collects important data such as documents, images, databases, etc. Using complex encryption algorithms, it locks these files, rendering them inaccessible to the user. The encryption process is usually swift and thorough, affecting both local files and those on connected network drives.

User Notification: Once the data is encrypted, the ransomware notifies the user by displaying a ransom note on the infected system. This note can appear as a text file, HTML page, or desktop background.  Basically, it informs the user about the encryption and provides instructions on how to pay the ransom to regain access to their files. The note often includes threats to delete the encryption key if the ransom is not paid within a specified timeframe.

Cleanup: During this phase, the ransomware may try to remove any traces of its presence to avoid detection. This could include deleting the original malware files, clearing logs, and disabling security tools. The aim is to make it more difficult for the victim or security professionals to analyze the attack and trace it back to the source.

Payment: The payment phase is important for attackers. The ransom note specifies a specific amount of cryptocurrency, such as Bitcoin, to be paid.  Cryptocurrency is favored due to its anonymity and ease of transfer across borders. Attackers may set a deadline for the payment, often threatening to increase the ransom amount or permanently delete the decryption key if the deadline is missed.

Decryption: After the ransom is paid, the attackers usually give a decryption key or tool to unlock the encrypted files. However, no guarantee paying the ransom will lead to the restoration of data. In some instances, victims receive a decryption tool that only partially works or doesn't work at all. This last stage is full of uncertainty, emphasizing the critical necessity of strong cybersecurity measures and backups to minimize the impact of ransomware attacks.

What is the Impact of Ransomware Attacks?

Revenue: A ransomware attack can significantly impact an organization's operations. Even if the organization is well-prepared and has functional backups, it could still take hours to restore affected systems. For organizations that were less prepared or had compromised backups, it could take days or even weeks to fully recover, leading to reduced or halted revenues during the recovery period.

Reputation: Experiencing a data breach or a ransomware attack can harm an organization's reputation. Some customers might see a successful attack as a sign of poor security practices, or they could be so highly affected by a service disruption that they decide to take their business elsewhere.

Financial: Ransomware can be an unexpected, expensive cost for organizations. In addition to the potential loss in revenue, there are both obvious and less obvious costs to consider.

Obvious costs include:
    1. The cost of the ransom payment (if paid)
    2. The cost of remediating the incident, including expenses for new hardware, software, and incident response services, insurance deductibles, attorney fees, litigation costs, and public relations.

Less obvious costs may include:
    1. Increases in insurance premiums
    2. Devaluation of reputation or tradename
    3. Loss of intellectual property

 Common Ransomware Examples

Several notable ransomware variants have wreaked havoc in recent years:

Cryptolocker: One of the earliest ransomware types known for its strong encryption and demand for payment in Bitcoin.
Petya and NotPetya: These ransomware families encrypt files and target the master boot record, rendering entire systems unbootable.
Ryuk: A highly targeted ransomware with large ransom demands, often aimed at enterprises and critical infrastructure.
GrandCrab: This ransomware family was notorious for its rapid development and evolution, offering Ransomware-as-a-Service (RaaS) to cyber criminals. GrandCrab could evade detection and use sophisticated encryption methods, posing a notable threat to individuals and organizations.

How to Prevent Ransomware?

  • Always Use Two-Factor Authentication (2FA) -

Implementing two-factor authentication (2FA), such as Duo, adds an extra layer of security by requiring not just a password but also a second form of verification. This makes it significantly harder for cybercriminals to gain unauthorized access to your accounts, even if they have stolen your password.

  • Never click on unsafe links:

Avoid clicking on links in spam messages or on unknown websites. Clicking on malicious links can trigger automatic downloads that may infect your computer.

  • Avoid disclosing personal information

 If you receive a call, text message, or email from an untrusted source requesting personal information, do not reply. Cybercriminals may try to gather personal information in advance for a ransomware attack. If you have doubts about the legitimacy of the message, contact the sender directly.

  • Do not open suspicious email attachments: 
    Ransomware can spread through email attachments. Avoid opening any dubious-looking attachments. Ensure the email is trustworthy, check the sender's address, and never open attachments that prompt you to run macros.
  • Keep your programs and operating system up to date:
    Regularly update programs and operating systems to protect yourself from malware. Benefit from the latest security patches, making it harder for cybercriminals to exploit vulnerabilities in your programs.

What are the Different Types of Ransomware Attacks?

Computer hacked by cyber ransomware virus attack malwareRansomware comes in various forms, each presenting unique challenges and threats to individuals and organizations. Understanding the different types of ransomware is crucial for recognizing and mitigating these cyber threats. Below are some of the most common variants:

Encrypting Ransomware: This type of ransomware encrypts files on the victim's system, making them inaccessible until a ransom is paid for the decryption key.

Locker Ransomware: Locker ransomware locks the victim out of their entire system, preventing access to files, applications, and sometimes even the operating system itself.

Scareware: Scareware doesn't actually encrypt or lock files; instead, it displays intimidating messages or fake warnings that trick users into paying for unnecessary or non-existent services to remove supposed threats.

Doxware (Leakware): Also known as extortionware, this type of ransomware threatens to publish sensitive information stolen from the victim's system unless a ransom is paid.

Mobile Ransomware: Designed specifically for mobile devices, this ransomware targets smartphones and tablets, encrypting files or locking the device until a ransom is paid.

RaaS (Ransomware-as-a-Service): RaaS allows cybercriminals to rent or purchase ransomware kits, enabling even those with limited technical expertise to conduct ransomware attacks.

Why is It So Hard to Find Ransomware Perpetrators?

Finding the perpetrators of ransomware attacks is often a challenging task. Cybercriminals typically employ sophisticated techniques to conceal their identities and cover their tracks. They often operate from countries with lax cybersecurity regulations or use anonymizing technologies, making it difficult for authorities to track them down.

What are the Ransomware Threats Legal Firms Face?

Ransomware attacks are becoming more common - not to mention expensive for their victims. According to the FBI, there were nearly 1,500 incidents reported to the agency in 2018 alone. More alarming than the sheer number of ransomware events is the growing cost of those attacks. Total losses increased 55% between 2017 and 2018, reaching $3.6 million.

Cybercriminals know that attorneys will do everything in their power to retrieve sensitive data, even paying tens of thousands of dollars if need be. As such, legal practices will continue to be at risk for such attacks and need to take proper measures to prevent them and protect their databases.

How Do Ransomware Attacks Breach Law Firms?

The most common way cybercriminals launch ransomware attacks is through phishing emails. This tactic is incredibly effective because it preys upon the ignorance and lack of awareness of employees.

Phishing emails appear to be legitimate at first glance, but they contain links to sites with malicious software or executable files that infect the user’s machine with malware. The average person is largely unaware of the threat that cybercrime poses - not to mention how common ransomware attacks have become. Employees may not recognize red flags or scrutinize emails sent from unknown sources.

Cybercriminals have been known to use even more sophisticated measures to trick unsuspecting employees into opening phishing emails and infecting their machines. Spear phishing uses social engineering tools to target a specific person or institution. Instead of receiving an obviously suspicious email, spear phishing victims might find one that is addressed to them, references their law firm, or appears to have been sent by a colleague or even their boss. With fewer red flags to spot, it’s much more difficult to screen out these kinds of ransomware attacks.

Once the user has clicked on the link or downloaded the malicious software, there’s no turning back. Their computer, laptop, or mobile device becomes infected with ransomware, compromising whatever data is stored on that machine.

At that point, law firms have two choices: Either pay the ransom and hope for the best or use system restore tools to retrieve data backups. That second option is only viable if the firm has a comprehensive disaster recovery plan and backup systems in place, which is by no means a guarantee. Once data has been encrypted by ransomware, nothing short of the encryption key will bring it back.

How Can Law Firms Protect Themselves Against Ransomware and Data Leaks?

Traditional cybersecurity measures like antivirus software are unlikely to stop ransomware since those attacks are adept at bypassing those defenses. There are several ways law firms can go about insulating themselves from ransomware attacks and other data breaches.

Educate Staffers

First, educate employees about cybersecurity best practices. Staff members are, in many cases, the first line of defense against a cyberattack. That’s especially true when it comes to security incidents involving phishing emails. Being able to recognize the tell-tale signs of malicious activity will make your employees an asset, rather than a liability, in the fight against cybercrime. When law firms establish a strong organizational culture that prioritizes a robust cybersecurity posture, they significantly reduce their threat surface area.

Implement a Disaster Recovery Plan

Another recommended step to take is to implement a comprehensive disaster recovery and system restore procedure. You may not be able to guarantee that a cybercriminal will restore data encrypted by ransomware, but you can minimize if not completely obviate, the loss of those documents.

  • Backup systems allow law firms to simply retrieve any data that has been compromised so they don’t need to roll the dice on paying the ransom. A good disaster recovery plan goes beyond storing duplicate data on external hard drives and using a network of backups to provide both redundancy as well as diversity. A cloud backup can be especially effective, as long as the cloud provider has an ironclad cybersecurity plan in place.
  • Additionally, using eDiscovery software that integrates advanced cybersecurity measures can help law firms monitor and safeguard sensitive data. This software can detect potential threats and ensure that client information remains secure even in the event of a ransomware attack.

Craft an Incident Response Plan

Law firms should also create an incident response plan so employees know exactly what to do if they have reason to believe their work computers have been infected by ransomware. An incident response plan removes any confusion from the situation and helps organizations remediate threats as quickly as possible.

Above all else, attorneys need to assume that a data breach will happen at some point. New threats are emerging every day, and the cybersecurity community can’t possibly account for every single malware strain and vulnerability before an attack is launched. Plan for the worst-case scenario, and you will never be caught off-guard. 

If you found this article interesting, be sure to subscribe you and your team to our monthly blog distribution email. This email list is solely for blog distribution purposes and we promise to only send one email per month. To subscribe, simply scroll down and fill out the "Subscribe" form below the comment box.

Topics: Best Practices