Cybercrime continues to cast a large shadow across the legal community, especially when it comes to ransomware. Within a single 24-hour period alone, three law firms were targets of such cybercriminal exploits, resulting in stolen data and the potential for sensitive information to be posted in public forums.
Ransomware is one of the most pressing cybersecurity issues facing the legal field today. Law firms are attractive targets for data thieves and other malicious actors because the information stored in their databases is so valuable. Firms cannot afford to let discovery documents, legal briefs, and other information be distributed to the public at large.
Take the proper precautions to protect your firm against ransomware attacks and safeguard both your data and your client’s documents.
A ransomware attack occurs when a malicious actor deploys ransomware on a victim's system. Upon infection, the ransomware encrypts the victim's files, making them inaccessible. The attacker then demands a ransom payment in exchange for the decryption key.
Ransomware attacks have been on the rise in recent years, with cybercriminals targeting individuals, businesses, and even government organizations. These attacks can have devastating consequences, causing data loss, financial damage, and reputational harm. In some cases, victims may be left with no choice but to pay the ransom to regain access to their files.
A ransomware attack goes beyond simply stealing files and documents, encrypting data, and preventing the owner from accessing it. The perpetrators then demand a large ransom to be paid in exchange for the encryption key. Because encryption is so difficult to crack - virtually impossible with a modern cipher - victims are left with no choice but to pay the ransom.
Of course, there’s no guarantee the attackers will hold up their end of the bargain. Once they realize the victim is willing to pay the ransom, they may turn around and ask for even more money. They may simply take the money and run, leaving the data encrypted and inaccessible.
Ransomware can be propagated via several channels making it a particularly menacing threat to law firms. Knowing these vectors is essential for developing a comprehensive defense strategy and saving from ransomware cyber attacks:
Understanding the lifecycle of a ransomware attack can help law firms better prepare their defenses and response strategies:
Infection: This is the initial stage of a ransomware attack which often occurs via phishing emails, malicious downloads, exploiting vulnerabilities in software, and many more. The attackers use such vectors to deliver ransomware payload onto the target system. Once the malicious file is downloaded and executed, it begins the process of infecting the system.
Execution: After the system is infected, the ransomware code activates. At this point, the malware usually tries to disable security features and any interfering software. It may also attempt to establish itself in a way that ensures it remains active even after a system reboot. Additionally, the malware might initiate communication with the attacker's command and control server to receive additional instructions.
Encryption: Once the ransomware is successfully executed, it starts the encryption phase. The malware scans the system for files and collects important data such as documents, images, databases, etc. Using complex encryption algorithms, it locks these files, rendering them inaccessible to the user. The encryption process is usually swift and thorough, affecting both local files and those on connected network drives.
User Notification: Once the data is encrypted, the ransomware notifies the user by displaying a ransom note on the infected system. This note can appear as a text file, HTML page, or desktop background. Basically, it informs the user about the encryption and provides instructions on how to pay the ransom to regain access to their files. The note often includes threats to delete the encryption key if the ransom is not paid within a specified timeframe.
Cleanup: During this phase, the ransomware may try to remove any traces of its presence to avoid detection. This could include deleting the original malware files, clearing logs, and disabling security tools. The aim is to make it more difficult for the victim or security professionals to analyze the attack and trace it back to the source.
Payment: The payment phase is important for attackers. The ransom note specifies a specific amount of cryptocurrency, such as Bitcoin, to be paid. Cryptocurrency is favored due to its anonymity and ease of transfer across borders. Attackers may set a deadline for the payment, often threatening to increase the ransom amount or permanently delete the decryption key if the deadline is missed.
Decryption: After the ransom is paid, the attackers usually give a decryption key or tool to unlock the encrypted files. However, no guarantee paying the ransom will lead to the restoration of data. In some instances, victims receive a decryption tool that only partially works or doesn't work at all. This last stage is full of uncertainty, emphasizing the critical necessity of strong cybersecurity measures and backups to minimize the impact of ransomware attacks.
Several notable ransomware variants have wreaked havoc in recent years:
Cryptolocker: One of the earliest ransomware types known for its strong encryption and demand for payment in Bitcoin.
Petya and NotPetya: These ransomware families encrypt files and target the master boot record, rendering entire systems unbootable.
Ryuk: A highly targeted ransomware with large ransom demands, often aimed at enterprises and critical infrastructure.
GrandCrab: This ransomware family was notorious for its rapid development and evolution, offering Ransomware-as-a-Service (RaaS) to cyber criminals. GrandCrab could evade detection and use sophisticated encryption methods, posing a notable threat to individuals and organizations.
Implementing two-factor authentication (2FA), such as Duo, adds an extra layer of security by requiring not just a password but also a second form of verification. This makes it significantly harder for cybercriminals to gain unauthorized access to your accounts, even if they have stolen your password.
Avoid clicking on links in spam messages or on unknown websites. Clicking on malicious links can trigger automatic downloads that may infect your computer.
If you receive a call, text message, or email from an untrusted source requesting personal information, do not reply. Cybercriminals may try to gather personal information in advance for a ransomware attack. If you have doubts about the legitimacy of the message, contact the sender directly.
Encrypting Ransomware: This type of ransomware encrypts files on the victim's system, making them inaccessible until a ransom is paid for the decryption key.
Locker Ransomware: Locker ransomware locks the victim out of their entire system, preventing access to files, applications, and sometimes even the operating system itself.
Scareware: Scareware doesn't actually encrypt or lock files; instead, it displays intimidating messages or fake warnings that trick users into paying for unnecessary or non-existent services to remove supposed threats.
Doxware (Leakware): Also known as extortionware, this type of ransomware threatens to publish sensitive information stolen from the victim's system unless a ransom is paid.
Mobile Ransomware: Designed specifically for mobile devices, this ransomware targets smartphones and tablets, encrypting files or locking the device until a ransom is paid.
RaaS (Ransomware-as-a-Service): RaaS allows cybercriminals to rent or purchase ransomware kits, enabling even those with limited technical expertise to conduct ransomware attacks.
Finding the perpetrators of ransomware attacks is often a challenging task. Cybercriminals typically employ sophisticated techniques to conceal their identities and cover their tracks. They often operate from countries with lax cybersecurity regulations or use anonymizing technologies, making it difficult for authorities to track them down.
Ransomware attacks are becoming more common - not to mention expensive for their victims. According to the FBI, there were nearly 1,500 incidents reported to the agency in 2018 alone. More alarming than the sheer number of ransomware events is the growing cost of those attacks. Total losses increased 55% between 2017 and 2018, reaching $3.6 million.
Cybercriminals know that attorneys will do everything in their power to retrieve sensitive data, even paying tens of thousands of dollars if need be. As such, legal practices will continue to be at risk for such attacks and need to take proper measures to prevent them and protect their databases.
The most common way cybercriminals launch ransomware attacks is through phishing emails. This tactic is incredibly effective because it preys upon the ignorance and lack of awareness of employees.
Phishing emails appear to be legitimate at first glance, but they contain links to sites with malicious software or executable files that infect the user’s machine with malware. The average person is largely unaware of the threat that cybercrime poses - not to mention how common ransomware attacks have become. Employees may not recognize red flags or scrutinize emails sent from unknown sources.
Cybercriminals have been known to use even more sophisticated measures to trick unsuspecting employees into opening phishing emails and infecting their machines. Spear phishing uses social engineering tools to target a specific person or institution. Instead of receiving an obviously suspicious email, spear phishing victims might find one that is addressed to them, references their law firm, or appears to have been sent by a colleague or even their boss. With fewer red flags to spot, it’s much more difficult to screen out these kinds of ransomware attacks.
Once the user has clicked on the link or downloaded the malicious software, there’s no turning back. Their computer, laptop, or mobile device becomes infected with ransomware, compromising whatever data is stored on that machine.
At that point, law firms have two choices: Either pay the ransom and hope for the best or use system restore tools to retrieve data backups. That second option is only viable if the firm has a comprehensive disaster recovery plan and backup systems in place, which is by no means a guarantee. Once data has been encrypted by ransomware, nothing short of the encryption key will bring it back.
Traditional cybersecurity measures like antivirus software are unlikely to stop ransomware since those attacks are adept at bypassing those defenses. There are several ways law firms can go about insulating themselves from ransomware attacks and other data breaches.
First, educate employees about cybersecurity best practices. Staff members are, in many cases, the first line of defense against a cyberattack. That’s especially true when it comes to security incidents involving phishing emails. Being able to recognize the tell-tale signs of malicious activity will make your employees an asset, rather than a liability, in the fight against cybercrime. When law firms establish a strong organizational culture that prioritizes a robust cybersecurity posture, they significantly reduce their threat surface area.
Another recommended step to take is to implement a comprehensive disaster recovery and system restore procedure. You may not be able to guarantee that a cybercriminal will restore data encrypted by ransomware, but you can minimize if not completely obviate, the loss of those documents.
Law firms should also create an incident response plan so employees know exactly what to do if they have reason to believe their work computers have been infected by ransomware. An incident response plan removes any confusion from the situation and helps organizations remediate threats as quickly as possible.
Above all else, attorneys need to assume that a data breach will happen at some point. New threats are emerging every day, and the cybersecurity community can’t possibly account for every single malware strain and vulnerability before an attack is launched. Plan for the worst-case scenario, and you will never be caught off-guard.
If you found this article interesting, be sure to subscribe you and your team to our monthly blog distribution email. This email list is solely for blog distribution purposes and we promise to only send one email per month. To subscribe, simply scroll down and fill out the "Subscribe" form below the comment box.