Cybercriminals have developed an insidious way of victimizing law firms—holding their valuable data for ransom. It is no secret to cybercriminals, hacktivists and nation states that many law firms are far behind the curve in cybersecurity. Due to their often-substantial cyber-vulnerabilities and the high value of the sensitive and confidential client data they possess, law firms are high-value targets.
In the past, cybercriminals operated like thieves in the night—remotely hacking into unsuspecting law firms and stealthily exfiltrating data. Today, these cybercriminals have found a direct method of exploiting law firms for profit—holding data for ransom. Here, the perpetrators do not have to spend the time and effort to sell stolen information on the Dark Web; the cyberthieves can directly extort money from the victim using sophisticated malicious software known as ransomware.
Although ransomware is not new, the most notorious version, known as CryptoLocker, is much more sophisticated than what has been seen in the past. CryptoLocker uses the AES-256 algorithm—an encryption standard used by the National Security Agency (NSA) to protect top-secret national security information—to encrypt the victim’s files and the RSA-2048 algorithm to protect the data encryption key. After the malware has done its work, the often unsuspecting victim receives an electronic ransom note threatening to lock away the data forever should the victim refuse to pay a fee, typically around $300. The victim is given a set of instructions requiring the ransom be paid with Bitcoin cryptocurrency, which is almost untraceable. The victim is often given a 72-hour deadline to pay the ransom, which is ominously displayed in a virtual countdown clock.
In May 2014, a coalition of international law enforcement agencies won a major victory against the CryptoLocker attackers when they took down the Gameover ZeuS botnet responsible for hosting CryptoLocker in an effort known as Operation Tovar. Following the operation, a security firm acquired a set of encryption keys and was able to produce a tool that allowed many users to decrypt their files. Unfortunately, just a year later, variants of CryptoLocker are now in play.
This proliferation of CryptoLocker variants has expanded the threat landscape, infecting an even larger number of systems. Some continue to operate under the name CryptoLocker, while others, such as CryptoWall, TorrentLocker, CryptVault, TeslaCrypt and CryptoFortress, are similar in nature.
In a high-profile January 2015 attack, the California law firm Ziprick & Cramer was hit by a new variant of CryptoLocker that encrypted files on their network share drive. After notifying the Federal Bureau of Investigation and the California Attorney General, Ziprick & Cramer refused to pay the demanded ransom, publicly stating, “[o]ur firm did not and will not pay any such ransom, which would only encourage and fund such criminals in their illegal activities.” Ziprick & Cramer should be applauded for standing up to these criminals; however, this dilemma likely put the firm in a precarious position with its clients.
PREVENTION AND RESPONSE
With law firms increasingly targeted in ransomware-based attacks, firms must be prepared to prevent and respond to the real risk of losing access to critical organizational intellectual property. The number one way organizations can prepare for ransomware is to keep recent offline backups of files in case a system becomes infected. With proper backup management, this malware can have the effect of a day of lost productivity rather than presenting an existential risk.
Second, the firm should conduct a risk assessment. An increasingly popular and accepted risk assessment framework in the legal industry is the ISO 27000 framework. This type of assessment will identify the most pressing firm security threats and most effective risk mitigation strategies including such elements of inventory and cataloging firm data, giving certain “crown jewel” data, such as health information or intellectual property, higher protection priority.
Third, firms should adopt the “principle of least privilege” by limiting the number of administrator accounts and properly granting access to files and directories, particularly on the network shares. Otherwise, ransomware infection of even a single low-level user can have a catastrophic impact.
Fourth, basic cybersecurity hygiene should be a firm priority. Antivirus software, frequent software updates, a company firewall and email filtering and attachment blocking all provide basic protections against malware, including ransomware like CryptoLocker.
Finally, firms should develop and exercise an incident response plan. This plan should be shared with all relevant security personnel and be exercised on a regular basis. Regular data breach simulation exercises will allow the team to work together during a crisis and further promote the continuous upgrading of the existing incident response plan. While system administrators can establish best practices, they must also be routinely exercised to remain effective. Regular incident response exercises and security training to maintain firm-wide vigilance can prepare users to not only assist in mitigation, but also prepare a firm to respond effectively to an infection.
DAMAGE CONTROL
Should a firm fall victim to ransomware, users suspecting an infection should immediately notify the relevant security or IT team to activate the firm’s incident response plan and to ensure the compromised computer is quarantined from networked storage. If derived from a phishing attack, the malicious email should be deleted and the originating domain name should be blocked. Depending on the extent of the infection and the level of damage, law enforcement should be notified. This may entail submitting a sample of the quarantined file to law enforcement or an antivirus vendor if the malware is unknown.
If a ransomware attack is successful and the attacker is able to encrypt some or all of the firm’s data, the firm has two basic options: if the firm has proactively backed up their files correctly, it can rely on these backed up files or a system restore. If not, the firm must decide whether or not it will comply with the ransom demand. While paying criminal elements operating this malware is abhorrent and potentially illegal, so too is the loss of the files a law firm or company is legally mandated to maintain. Moreover, paying the demanded ransom provides no guarantee that encrypted documents will be decrypted and recovered. The ultimate decision of whether to pay the ransom is a strategic, legal and ethical decision that should be made by firm leadership.
In addition to the business disruption a ransomware attack causes, victim firms must comply with a range of federal and state laws and regulations that mandate essential security measures for ensuring the security and privacy of personally identifiable information. The legal profession is additionally required to comply with the American Bar Association’s professional code of conduct, which instructs members to “act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.”
No comments:
Post a Comment