The new year brings with it worrying trends about the rising threat to law firms posed by ever-more sophisticated ransomware attacks.
Cybersecurity firm Skybox Security reported that ransomware criminals are thriving in the remote work environment ushered in by the COVID-19 pandemic. According to a recent Skybox security update, ransomware attacks rose 72% during the first half of 2021.
While many ransomware attacks exploit known vulnerabilities in computer networks, ransomware criminals don’t need their victims to leave the proverbial door unlocked. They often can persuade victims to unlock the door for them. According to Verizon’s 2021 Data Breach Investigations Report, 85% of data breaches involved a human element. And in many of those cases, the “human element” was an employee tricked by a phishing exploit.
Do you feel safe because all remote connections to your law firm’s computers are made via a secure virtual private network (VPN)? Think again. VPN concentrator — considered by most organizations as a primary means of securing network connections for remote workers — are reportedly prioritized by ransomware criminals because they provide a handy, single point of entry point to the intended victim’s computer network.
According to a recent private industry notification from the Federal Bureau of Investigation, ransomware criminals are actively searching through publicly available information to identify companies who are nearing the completion of a significant financial event such as a merger or public stock offering. Having identified an intended victim, the ransomware criminal breaches the target’s network to obtain non-public information that could be used to influence stock prices or scuttle the planned transaction altogether. Per the FBI:
Cyber criminals identify non-publicly available information, which they threaten to release or use as leverage during the extortion to entice victims to comply with ransom demands. Impending events that could affect a victim’s stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established.
This news has significant implications for law firms engaged in high-stakes litigation and mergers and acquisitions work. Law firms may wish to re-think the extent to which their clients are identified on websites over which the firm has control. They should also consider whether publicizing — in advance — their involvement in important litigation, mergers, or initial public offerings of securities could create an unwitting invitation to ransomware criminals.
If the law firm’s involvement in a high-value representation is a matter of public record, such as in court filings or news accounts, then the firm likely has an ethical duty to take whatever reasonable measures are available to mitigate the risk of a ransomware attack targeting the representation.
Practical Steps to Prevent or Mitigate Ransomware Attacks
Ransomware is a type of malware that is designed to render files inaccessible to their rightful owner via encryption and, in some cases, will collect and remove valuable data from the computer. Bad actors will then demand payment in exchange for decryption and/or refraining from publishing sensitive data online. It should be easy to see how a successful ransomware attack on a law firm would impair that firm’s ability to represent its clients effectively and confidentially.
While the buildout of a comprehensive cybersecurity program is well beyond the scope of this article, there are a few steps law firms can take immediately to minimize the threat of a ransomware attack. As usual, the best steps to minimize exposure to cybersecurity risks are relatively simple, but go beyond deploying “table-stakes” endpoint protection software:
Ongoing Security Awareness Training. People are always the weakest link in any cybersecurity chain – studies consistently show that untrained and unwary human beings represent the greatest security risk at any organization. Clicking a malicious link in an email message is all that is necessary for some ransomware programs to gain a foothold in a law firm’s infrastructure. Law firms should provide ongoing, comprehensive security awareness training that provides detailed instruction on how to identify and avoid those phishing attacks.
Here are a few examples of the most common types of phishing attacks: spear phishing (PDF), whaling, clone phishing (PDF), vishing, smishing, link manipulation, filter evasion, website forgery, covert redirects, reverse tabnabbing, and pharming. While training can teach staff how to recognize and respond to these attack techniques safely, conducting mock phishing campaigns allows you to measure what effect the training has on staff in the everyday work environment and can provide teachable moments to further enhance awareness and appropriate handling of phishing attempts.
Install available security patches ASAP. Once access is gained by phishing or other vectors, ransomware criminals usually rely on publicly-known security vulnerabilities in computer software. While most software vendors promptly publish patches for vulnerabilities, it is the responsibility of the individual user to install relevant updates to mitigate those risks. Every minute from the time a vulnerability is discovered to the time it is patched represents an opportunity for a bad actor to succeed in exploiting that vulnerability with ransomware.
Given this fact, it is astonishing that the average time to fix high severity vulnerabilities grew from 197 days to 246 days in the first half of 2021 according to a report from NTT Application Security in July 2021. Using older software and systems may expose your law firm to additional risk because vendors often stop releasing patches for end-of-life software. Ideally, law-firms should leverage supported applications and systems and employ a centralized, automated patch management solution that allows easy management and reporting of patch deployment across all systems, ensuring that all known security vulnerabilities are patched as quickly as is possible.
Back Up Critical Data. A ransomware criminal’s threats are most acute when they involve the sole copy of a valuable dataset. Law firms that maintain backup copies of critical data — either offline in a secure location or in the cloud — are less vulnerable to a ransomware criminal’s demands. Remember also that the act of backing up data must be paired with regular log review along with periodic restore testing to ensure the efficacy of data recovery protocols.
For law firms just getting started on improving cybersecurity operations, the Federal Trade Commission is a great place to start. The FTC series Protecting Personal Information: A Guide for Business, Start With Security: A Guide for Business, and Data Breach: A Guide for Business cover the basics from identifying security issues to reporting in the event of a security incident.
Reporting Ransomware Attacks
In the United States, the FBI has two key pieces of advice for ransomware victims: first, do not pay the ransom demand; second, report the ransomware attack to the federal government.
Neither recommendation has earned wide acceptance among the private sector.
News outlets regularly report that companies are paying steep ransom demands. For example, Colonial Pipeline reportedly paid $5 million in ransom to regain access to its computer network in June 2021. According to a U.S. Treasury Department Financial Crimes Enforcement Network report (PDF), payments related to ransomware demands during the first six months of 2021 were $590 million — up significantly from the $416 million reported in all of 2020.
On the subject of reporting ransomware attacks to the FBI, some consultants serving the legal services industry advise calling a few other folks first. Because a ransomware attack is usually a data breach as well, law firms might want to direct that first call to a lawyer specializing in data breach incidents. Federal and state laws may impose legal obligations on the law firm to respond (or not), and of course there are liability and reputational concerns that should be considered when malicious actors gain control over client confidential information.
A second critical phone call to make in the event of a ransomware attack is to the firm’s cyberinsurance carrier. Insurance industry experts say that the ransomware threat has been a driving force behind the recent surge in demand for cyberinsurance policies. Coverage for ransomware losses may depend on the timeliness of that call; in any event, insurance carriers often have sound advice on how to respond to covered losses.
Finally, each law firm should maintain a breach notification matrix that documents client-specific, contractual requirements for notification in the event of data breach as the result of a ransomware attack. That matrix should track the timeframe for notification, contact method, and relevant contact information provided by clients with specific contractual requirements. For those clients with no specific breach notification requirement, a standard notification procedure should be defined for breach notification.
Law firms should be aware that federal legislation has been proposed that would eliminate some of the discretion law firms might enjoy regarding how, and when, to report ransomware attacks. The Ransomware Disclosure Act, proposed in October 2021, by Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.), would require all ransomware victims to disclose to the Department of Homeland Security “information about ransom payments no later than 48 hours after the date of payment, including the amount of ransom demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom.”
The Warren/Ross proposal would allow DHS to publicly report the extent of ransomware payments made, though not the names of the entities who made the payments.
More information about the ransomware threat, as well as information about how to report a ransomware attack, is available at the Cybersecurity & Infrastructure Security Agency website.