When the law firm of Ziprick & Crammer sent a letter to their clients earlier this year explaining that they were the “victim of a single cyberattack, by a relatively new variant of Cryptolocker-type virus” – many took note. While the firm may have been one of the first to be so open about the ransoming of their data, they are certainly not the first to be targeted.
Back in 2011, it was estimated that 80 major U.S. law firms had been hacked. More recently, law firm Goodson admitted to sustaining a ransomware attack. And, following a ransomware campaign targeting three Canadian law firms, the Law Society of British Columbia published a warning across their network of legal professionals.
Many firms large and small understand that they will likely be the target of a cyberattack at some point. However, most are woefully unprepared for such an eventuality and lack the know-how to properly prepare. Here are some of the most frequently asked questions about the ransomware threat law firms face and strategies to help them mitigate risks.
Why are Law Firms Such an Attractive Target?
Law firms contain an abundance of sensitive information, be it potential mergers, patents, balance sheets or trade secrets. Large legal firms, for example, create or modify almost 100 documents every hour. All of this information is stored on, or passed through the law firm’s information systems, making them, according to the FBI’s Patrick Fallon, “a rich target.” Despite being such rich targets, law firms do not typically have the infrastructure and systems in place to protect themselves against hacks. It is this vulnerability that hackers are exploiting.
What is the Current State of Security in Most Law Firms?
Despite being such visible cyber targets, most law firms fail to obtain the proper security controls needed to protect their data, instead relying on outsourced providers to try to keep their data safe. In fact, the 2014 Global Law Firm Cyber Survey conducted by Marsh found that while 79 percent of respondents see cyber/privacy security as one of the top 10 risks to their overall strategy, 72 percent of these respondents have not even assessed how much a data breach would cost them.
What Exactly is Ransomware?
Ransomware is an increasingly popular tactic used to steal data and disrupt a system’s operations. Essentially, ransomware is malware used by attackers to infect a device, hijack files on that device and lock them, via encryption. These maliciously encrypted files can no longer be accessed by users, and are held hostage by the attacker until a ransom is paid.
The ransom can range from hundreds of dollars to hundreds of thousands, depending on the type of file and victim (attackers typically assume law firms are rich targets which will pay large ransoms to prevent the attack from impacting their operations or reputation). In 2013, the criminals responsible for CryptoLocker, a prolific type of ransomware, purportedly earned between $3 million and $27 million from victims.
The proliferation of ransomware is predicted to only get worse. According to McAfee Labs, there were twice as many ransomware samples in 2015 Q1 than in other any other quarter, and the FBI recently issued an alert on the uptick of ransomware (citing Cryptowall as “the most current and significant ransomware targeting U.S. individuals and businesses.”)
How Can Law Firms Combat Ransomware?
When dealing with ransomware, law firms should never pay the ransom. A successful ransomware attack points to a security vulnerability that needs to be effectively remediated. Additionally, when dealing with hackers, there are no guarantees the data will actually be released; in fact, it will likely lead to another attack that is nastier and more expensive than the first. Worse, paying up motivates the threat actors to continue with the practice.
So, what can law firms do?
1 – Stay vigilant for cyber threats. Ransomware typically infects employees through sophisticated methods of social engineering, enticing a victim to open a file or click on a link. Ensuring that everyone in the organization is aware of the threats targeting their law firm through education and training is a key component to any cybersecurity program. However, it is important to note that awareness only reduces the risk; a sophisticated threat actor will eventually find a way to dupe a user and get into the network.
2 – Backup data regularly. This best practice ensures that users can go back and retrieve information stored in other locations. This is not a remedy, but it will buy a little time. Nevertheless, beware that when using network-enabled backups like a common share or cloud, it won’t take a sophisticated attacker long to find and infect those backups (remember, if you are already managing an attack, it means the threat actors are already in the network).
3 – Share information on cyberattacks and best practices. Clients have been calling on their law firms to be more open about attacks and to do more to protect their data. As a result, we are starting to see various forums sprouting up facilitating information sharing in order to educate peers about best practices. Alliances like the one formed by leading law firms in New York and London, and between Wall Street banks and law firms increase information available regarding attacks, which can lead to better defenses.
4 – Deploy technologies that can proactively protect against ransomware. Law firms should have in their arsenal means to prevent the consequences of these malicious intrusions, namely the ransoming of their data. Ensuring that the malicious encryption of data is prevented enables law firms to continue to work, even in a compromised environment. Roy Katmor