Ransomware has quickly emerged as a billion dollar industry and shows no sign of slowing down. 2016 statistics indicate that 40 percent of spam email contained ransomware, representing 60 percent of infections. Every 40 seconds, a company gets hit with ransomware and payouts are significantly higher than consumer focused cyber extortion, with payments ranging from $17,000 to $150,000. And just recently, countries in Europe and elsewhere were hit with a massive ransomware attack by the WannaCry malware. Fortunately, the U.S. was mostly spared.
So why is ransomware the ubiquitous nuisance it is? Simple: It works. Over 70 percent of companies pay the ransom.
Ransomware is particularly successful in industries that have a sense of urgency and reliance on encrypted data, and those industries tend to be heavily regulated just for good measure. This oversight and criminal targeting puts industries such as financial services, healthcare providers, and law firms in a cyber vice, squeezing out juicy ransom payments.
The costs of ransomware merely starts with the ransom and balloons by one estimate to nearly $75 billion annually once down time, lost revenue, and cleanup costs are added to the tally. However, lost productivity is the true cost. Most clean-up efforts take two days, with losses closer to $10,000. Considering billable hours for partners average $604/hour, and associates around $370, the average loss per attorney per hour is closer to the $500 mark. Two days of lost billable hours represents about $8,000 per attorney. And that doesn’t consider active cases, reputation and the harder aspects to quantify.
And at what point could paying a ransom run afoul of the law? A dystopian view could envision a government struggling to hinder the seller side of the ransomware equation, and turn its focus to the buyer (payee) by legislating (or interpreting existing trade regulations) the criminality of payments as conducting business with restricted trade partners, or worse, as funds tied to terrorism. More on the implications of this later.
The Good, Bad and Ugly
In the last six months, eSentire managed three cases of ransomware. The impacts of the attacks varied from nuisance, to business disrupting, to potentially business ending. In the first case, the firm was hit by a variant of 87.exe, known ransomware. The initial attack was picked up by the eSentire Security Operation Center (SOC) and initially blocked. The attack was then launched from alternative Web servers and used mutations of the file to disguise its contents. After numerous attempts, the ransomware infiltrated the client network and detonated. In response to detecting unusual traffic between the ransomware and its server host on the internet, the SOC blocked all outbound network traffic and quarantined the suspect device. Within about 45 minutes, the machine was cleaned and restored from backups. In less than an hour, the affected attorney was back in business with no further ransomware activity. That’s the Good.
Now the Bad. At the same time, another law firm was hit by the same attack as the first law firm in the example. Unfortunately, in this case, it took most of the business day to detect, during which time it infected an active file server housing 700 GB of case files being actively accessed by 20 attorneys. It took over two days to reach remediation from initial infection or about $160,000 in lost billable hours. About a week later, a second site was hit, and then a few days later, a third. All attacks yielded about the same result. In the end, the firm lost around $500,000 in billable hours. They also had to report the event to their clients, as the locked files involved active cases at trial. Interestingly, all three infected servers were tied to active cases, which support the conclusion that the attack was targeted and hit the most vulnerable of assets to ensure prompt and full payment.
And now the Ugly. A firm fell prey to a law firm targeting phishing campaign in which attorneys received an email allegedly from the state’s attorney office that alluded to vague legal action against the firm. A PDF baited to contain the details. It also contained ransomware. Like most ransomware, it spelled out a growing ransom over time, and after 48 hours, threatened to delete all encrypted files. The attorney smartly took a screen capture of the ransom screen. Almost four days later (and well after the deadline to delete all files), the IT team examined the infected laptop. The team destroyed the infected hard drive and installed a new drive. And that’s when the story turns ugly. When they attempted to restore files from the backups, they discovered that none of the backups worked! eSentire was called in to conduct the post-event forensics, help communicate the issue to clients, and rebuild as many legal records as could be found or restored from multiple sources. It’s still an ongoing case with enormous reputational damage, lost business, and potential lawsuits.
A Fistful of Advice
Ransomware is a risk all law firms need to accept and prepare for. The point with every risk that cannot be eliminated is to mitigate as much of the risk as you can, and disarm any events so they do not become business disrupting. Like every other aspect of cybersecurity, every level of the firm has a role to play:
The Board/Managing Partners
Managing partners govern the business health and continuity of the firm and as such must consider the broader issues of ransomware. The larger issue is ensuring that the security team has the budget, staff and resources to combat or mitigate ransomware. But the biggest issue facing Boards today across all industries is whether to pay the ransom. Should the company set up a Bitcoin account and be ready to pay? At 70% payout, sounds like most have.
Now, to digress for second, the Board has to weigh the ethical or potentially legal issues of payment. Take my dystopian view for second: The scenario of the Department of Justice prosecuting a firm for making ransomware payments is perhaps something from Black Mirror. Who pays? Who sets up the account, makes the transaction, and gives the orders? And then by extension, who is culpable of the hypothetical violation or crime? Who could be prosecuted? Not sure yet, but I intend to take the story to the producers of Black Mirror.
Firm managers must ensure that business disruption planning includes ransomware attacks, with pay out plans, system restoration, and client notification. This is especially important when it comes to active cases.
If the IT/Sec team does one thing, it’s back up all files, and test the backups! This point cannot be stressed enough. Backups make the event a nuisance. Non-existent or malfunctioning backups make the event business disrupting. Beyond that, application whitelisting and controls can eliminate much of the threat of common ransomware.
All Attorneys and Employees
Everyone plays a role in preventing ransomware. The majority of attacks start with a phishing email. Security awareness training and friendly phishing attacks can greatly reduce the number of real attacks that affect the firm’s operation. Considering that every attorney represents $8,000 in lost billable hours per successful ransomware attack, training and testing is an order of magnitude less than the costs of preventing such losses.
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Mark Sangster (email@example.com) is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark’s role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA).