There is a virus spreading through the legal community, causing law firms and law-related companies to shut down. While careful hygiene could help prevent its spread, the virus I’m talking about is not the one that is dominating the headlines.
Rather, what I’m talking about is ransomware. On Feb. 29, a ransomware attack took down the international e-discovery and managed services company Epiq Global, leaving customers unable to access their data or work on e-discovery review projects they had underway.
As of Saturday, the company said it was still working to bring its systems online. The incident affected a range of law-related businesses within Epiq, including its e-discovery and document review, class action and mass tort, and restructuring and bankruptcy businesses.
Meanwhile, a spate of ransomware attacks have hit law firms, shutting down their operations and posting portions of stolen client data online to get them to pay the ransom. In one 24-hour period last month, three law firms were hit. An attack against a nationwide disability firm resulted in veterans’ records posted online.
As of this morning, I checked several ransomware sites and found multiple instances that purport to have locked law firm data and posted some of it online. These are not so-called “dark web” sites — they are available on the open internet.
Ransomware is not the kind of virus typically associated with the malware that attacks computers. Viruses infect a particular program and then have the ability to propagate within a computer system, causing effects of varying severity.
By contrast, ransomware uses a technique called cryptoviral extortion, which means it encrypts all the files on a computer or system and then demands payment of a ransom to decrypt them and allow you to recover your files.
One of the most common ways ransomware can get access to a computer is through email phishing – an attachment to an email that appears to be a file the recipient should trust, but that in fact contains malware.
A recent Experian study of companies across industries found that 36% reported having had a ransomware attack last year, with only 20% confident of their ability to deal with such an attack.
But Brett Callow, a threat analyst with Emsisoft, a cybersecurity company that is also an associate partner in the No More Ransom Project, an initiative between multiple law enforcement agencies and the private sector, said a major concern is companies not reporting or disclosing ransomware attacks.
Delays in notifying customers that their data may have been breached can give criminals time to hit unsuspecting third parties with spear-phishing attacks and other forms of fraud, he says.
“Folks’ tax returns and veterans’ PTSD claims are being posted online, and these people have no clue that they’re sitting ducks for identity thieves because the companies haven’t told them,” Callow says. “Similarly, I suspect that the groups are using the stolen data to spear phish other companies.”
Yet as the headlines are dominated by news of the coronavirus, there are parallels between that crisis and the rise in ransomware attacks.
“The two have something in connection, in that they shed light on the need for good hygiene in general, and good cyber-hygiene in particular,” said David Carns, a former technology consultant to law firms who is now chief revenue officer at Casepoint. “No system is immune from attack, but there are best practices that people can employ to improve one’s chances of good health.”
With regard to shopping for vendors of legal products and services, law firms should look carefully at their security policies, Carns says. Too often, companies cite their data center’s security ratings as evidence of their own — but security policies must apply also at the company level and even down to the file level.
As the Epiq incident demonstrates, it takes just one successful phishing attack to take down an entire network. For that reason, Carns said, companies need to emphasize regular and company-wide security training for all employees.
He also suggested that companies compartmentalize their data, so if an employee’s lack of diligence opens the door to an attack, it does not infect the entire system.
As for law firms, there are a number of measures they can take to help guard against a ransomware attack. But the most important may be educating staff. Ensure that they know how to protect client documents through encryption and other means. And teach them never to open attachments from unknown senders.
Safe email practices are to ransomware what hand washing is to coronavirus. A bit of hygiene goes a long way toward prevention.
Robert Ambrogi is a Massachusetts lawyer and journalist who has been covering legal technology and the web for more than 20 years, primarily through his blog LawSites.com. Former editor-in-chief of several legal newspapers, he is a fellow of the College of Law Practice Management and an inaugural Fastcase 50 honoree. He can be reached by email at ambrogi@gmail.com, and you can follow him on Twitter (@BobAmbrogi).
