The Cascading Effects of Ransomware Attacks on the Legal Ecosystem and How to Stay Protected

24
Sep
2018

Antonio Challita

Ransomware has become the premier weapon of choice for cybercriminals to launch cyber attacks, cause disruption and generate significant revenue. While some argue that ransomware attacks are slowing down, the data shows otherwise. A recent report by SonicWall shows that nearly 100,000 ransomware attacks are happening per day in 2018. This is a whopping 25 times higher than the previous number of 4,000 attacks per day that was reported by the FBI in 2016.

From a cybercriminal’s perspective, the motivation to continue launching ransomware attacks remains high. This is due to several factors: 

1. Effort: Ransomware is easier than ever to obtain through Ransomware-as-a-Service providers, many of which offer never-before-seen ransomware variants that are undetectable by antivirus.
2. Distribution: Ransomware is one of the easiest forms of malware to distribute, shared primarily through phishing emails, remote desktop connections and compromised websites.
3. Payment: Ransomware payouts are at an all time high, with some campaigns, such as the infamous SamSam, generating $5,900,000 and counting for the authors.
4. Traceability: Cryptocurrency grants cybercriminals pseudo-anonymity and helps them evade law enforcement.
5. Risk: The risk of launching ransomware attacks for cybercriminals is relatively low, particularly outside the United States.

To make matters more challenging, the legal industry remains largely unprepared to defend itself effectively against ransomware. It’s cost prohibitive for many companies to replace their older PCs and servers with newer, more secure systems. It’s also difficult to keep the PCs and servers up-to-date with the latest software. Legacy systems and outdated software have well-known and well-documented vulnerabilities in the security community. In fact, known vulnerabilities were exploited to shock the world in both the WannaCry and NotPetya ransomware attacks in 2017. 

We’ve also seen several high-profile ransomware attacks specifically targeting the legal sector in the past few years, including: a ransomware attack on the big law firm DLA Piper, which was impacted by NotPetya; the Montgomery County Court Systems, which were forced to pay over $40,000 to regain access to their data and spend an estimated $250,000 in the months following the attacks to upgrade their security capabilities; and the City of Atlanta, which was impacted by the SamSam ransomware variant, causing its Police Department to lose years of dash cam video evidence.

When it comes to law firms and accompanying entities in the legal ecosystem, such as courts, court reporters, evidence departments, patent offices, and city offices, ransomware attacks become increasingly harmful due to the sensitive nature of the data and documents that each of these offices handles and stores. The documents are often confidential, personal, and sometimes irreplaceable.

Can you imagine a document containing a proprietary patent-pending invention for a business being rendered inaccessible due to a ransomware attack? Or a family will being destroyed? Or evidence for a crime scene getting encrypted?

Ransomware attacks not only make such critical documents inaccessible, but the attackers can also threaten to release sensitive information to the public if the ransomware payment is not made in a timely fashion. 

Taking it a step further, law firms that fall victim to ransomware not only have to address recovering and safeguarding sensitive data, they also face a direct hit to their incoming revenue. A law firm in Rhode Island recently sued their insurance company for $700,000 of lost billings as the result of a ransomware attack.

Given the prevalence of ransomware attacks in the legal sector, how can firms protect themselves? The key is to implement a defense-in-depth, layered security approach. Here are some tips that can help firms gain an advantage over adversaries:

1. Keep the software on PCs, servers, browsers, plugins, and Internet-facing applications up to date.
2. Maintain regular backups, ideally with the backup devices stored offline and disconnected from the main local area network.
3. Train employees to be aware of social engineering attacks and to avoid clicking on phishing emails, opening suspicious attachments or clicking on malicious advertisements.
4. Use least privilege mode. Provide employees with user accounts, and not admin accounts. Limit which accounts can access servers. Close down open ports (such as Remote Desktop Protocol) and mandate the use of strong passwords.
5. Consider using a behavioral-based ransomware protection solution that incorporates real-time behavioral analysis and machine learning. This helps protect against polymorphic and zero-day ransomware variants that antivirus solutions cannot detect.

The Internet is a dangerous place and ransomware never sleeps. It is prudent to take the above measures to heart and implement them, because, as the saying goes, an ounce of prevention is worth a pound of cure.