Law Firms Emerge As Easy Targets For Ransomware Attacks

Screen Shot 2017-07-31 at 12.52.43 PM.png

Ransomware attacks are an expanding plague in the corporate arena, and data-rich law firms are an attractive target for cybercriminals in search of sensitive information that will garner them big payouts, a digital forensics specialist said during a cybersecurity panel discussion on Thursday. 

“It's one of the most profitable malwares ever created," Bill Hardin, a data breach and cybersecurity expert at consulting firm Charles River Associates, said at the Legal Malpractice & Risk Management Conference in Chicago, adding that his firm sees about one ransomware case a day. 

Digital extortion is rampant right now, and ransomware is a particularly potent form of extortion, the panel said. When hackers threaten to lock organizations out of their own servers or to publicly release their sensitive information, the victims are often forced to pay up.

In fact, the value of certain types of stolen data is rising on the black market because they can enable or broaden the scope of ransomware attacks. Email addresses are getting a lot of play on the black market now, Hardin said, because they're necessary to carry out broad phishing campaigns that can lead an unwitting victim to click a link that launches ransomware software. The most expensive data up for grabs are user names and passwords that allow hackers access to the holders' organizations.

Law firms are rife with opportunity for hackers, according to Hardin.

“They're in it for the money,” he said of cyber attackers. “At the end of the day these are enterprises, these are businesses, that are at it from a profit perspective. … Why are they targeting law firms? You guys are rich with data; there's a lot of rich information your clients share with you, and a lot of criminals are targeting law firms because they think it's a weak point in the chain.”

Hinshaw & Culbertson LLP Partner and Deputy General Counsel Steven Puiszis said law firms should back up their data and, crucially, ensure they're able to recreate the data from their backup. He knows of law firms that achieved the backup but then couldn't recreate and restore the data from the backup. If you can't, you're subject to state disclosure requirements as well as reporting requirements under the Health Insurance Portability and Accountability Act, he said. Ransomware almost always encrypts the target's data and leaves it in place on the network.

However, Puiszis said, the first line of defense against ransomware is properly teaching people to ignore emails from people they don't know and not to open attachments or click on links they weren't expecting.

“We've had emails come to our lawyers purportedly from third-year law students enclosing their resumes,” Puiszis said. “It wasn't a resume, it was ransomware.”

From a behavioral perspective, Hardin said, when people receive an email that appears to come from their IT department directing recipients to download a new software update, people are apt to comply.

To drive home the point, he revealed that he had sent a phishing email out to conference attendees from “IT” asking them to click one link to download a software update and another link – this one leading to a log-in page – to indicate they had completed the update. Dozens of recipients clicked, and in doing so many would have compromised their device.

At the discussion, Hardin presented a walk-through from the hacker's perspective, revealing that clicking one of the links gave him immediate access to a victim's laptop, from the file system to the webcam. When ransomware software holds servers hostage, typically paying the ransom will free the data, he said: “There's honor among thieves.” In the case of a ransom note sent threatening to publish or release data, there's not as much certainty. The thieves can still opt to distribute it after a ransom is paid.

Hardin noted that victims can negotiate with ransomware attackers if they wish.

“[We were] actually working on a case recently where we got a contract from the bad guy,” Hardin said. “We kept joking that we could actually redline the hacker's contract and send him our terms. Again, you have to look at it from a business model perspective. … They're using extortion as a means of making money, and it works.”