Law Firms Stagger Through Ransomware Attacks
As the ransomware gangs move from big game to mid-size game, what’s a law firm to do?
Ed. note: Today, we are pleased to publish the first of a new article series, Cybersecurity: Tips From the Trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity, and digital forensics services.
The Good Old Days of Ransomware
Yes, there really were “the good old days of ransomware.” We call it Ransomware Version 1.0. The ransomware “landed” in your network, encrypted your data and presented a ransom to get the decryption key that would decrypt your data. Quite an innocent era by contrast with Ransomware Version 2.0, which preceded the pandemic, but then flourished as lawyers headed home to insecure home networks in March of 2020.
The Devil That is Ransomware Version 2.0
The ransomware gangs figured out that two ransoms were better than one. So now ransomware attacks steal your data before they encrypt your network. If you’ve really built a resilient network, you may be able to recover without paying the ransom. On the other hand, there may be so much downtime and lost productivity that you decide to pay anyway – especially if the payment is picked up by your cyberinsurance company.
Relatively recently, attacks include searching out and destroying any backups connected to the network – and also disabling or end-running the very software you have running to detect a ransomware attack.
But even if you don’t end up paying the first ransom demand, most firms are getting a second ransom demand for (you hope but can never know) destroying your data. In the meantime, they may leak some of your confidential data online on a “ransomware wall of shame” or alert journalists to the breach to pressure you into paying the ransom and confirming that they are in possession of the data.
A Small Ray of Light and An Ominous Warning
Cybersecurity firm Coveware reported at the end of Q3 this year that the average ransomware payment remained at $140,000, the same as in the last quarter.
But here’s the warning that law firms should note:
Coveware says small and midsize professional services firms, especially law firms and financial services firms, are most at risk from ransomware attacks because of their lack of cybersecurity preparedness, apparently because they think they’re too small to be targeted.
That thinking has always been wrong, but it is more wrong now. Why? Because governments and law enforcement are putting enormous pressure on ransomware gangs. Those efforts have escalated since the Colonial Pipeline attack in spring of 2021.
Coveware says, “We have seen statistical evidence and intelligence showing that ransomware actors are trying to avoid larger targets that may evoke a national political or law enforcement response. This shift from ‘big game hunting’ to ‘mid game hunting’ is personified in both the ransom amount statistics but also the victim size demographics from the quarter.”
In other words, ransomware gangs may avoid attacking the AmLaw 100, but not mid-sized firms that nonetheless hold very valuable data.
As the Ransomware Gangs Move from Big Game to Mid-size Game, What’s a Law Firm to Do?
The answer would require far more space than one article can provide. But follow the advice below and you’ll have made a good start!
1. Enable 2FA (two-factor authentication) anywhere you can. It will stop 99.9% of all credential based account takeover attacks. Microsoft and Google are beginning to enforce the use of 2FA for all users. That ought to tell you something. And while you’re at it, start learning about Zero Trust Architecture, which gives up completely on the obsolete notion of protecting a law firm’s perimeter and adopts a mantra of “never trust, always verify.”
2. Have endpoint detection and response (EDR) protection for all the devices connected to your network. This solution will monitor for behavior indicating malware or the existence of an attack.
3. Have multiple backups, test them often, and always have at least one isolated backup so it can’t be encrypted or destroyed!
4. Apply updates and patches promptly – if you are concerned about them “breaking” something, have a 3rd party test them prior to application (some companies sell this service at a reasonable price).
5. Control or disable network services, especially unneeded ones. Don’t use Remote Desktop Protocol.
6. Restrict privileged access and deploy a privileged access management solution.
7. Do cybersecurity awareness training for employees at least once a year – twice is better – intermittent reminders of phishing, social engineering, etc. are helpful – along with phishing simulations.
8. One of the best resources available (and written in plain English) is CISA’s one-stop shop website.
9. Get a cyberinsurance policy – but be wary. Costs are escalating while coverage is lessening. Cyberinsurance applications are much longer – and most law firms are not able to give the insurers the cybersecurity assurances they want.
10. Have (or develop) a comprehensive Incident Response Plan (IRP) to avoid panic and mistakes if you do suffer a ransomware attack. Train on the plan – use at least tabletop exercises, adding and subtracting things, i.e., the managing partner is climbing a mountain and inaccessible, the electronic grid has gone down, your employees have spread word of the breach on social media – as you might imagine, there are a long list of possible complications. But not having an IRP at all (and most small and mid-sized firms do not) is unforgivable and probably unethical given your duty to reasonably protect confidential firm data. By all means, make sure the IRP is stored somewhere (paper or electronic) that ransomware can’t encrypt it and render it inaccessible.
Last words
There is no “set and forget it” in cybersecurity. We’ll be back each month with more data and advice….
Sharon D. Nelson (snelson@senseient.com) is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek (jsimek@senseient.com) is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their Fairfax, Virginia firm.
Michael C. Maschke (mmaschke@senseient.com) is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc. He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744), a Certified Ethical Hacker, and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional.
