What law firms need to know about ransomware, the latest cyber threat

Listen to this article

By David Donovan
Dolan Media Newswires

Picture this: You arrive to work one morning and boot up your computer. Instead of seeing your usual background, an unusual message pops up on your screen. The message tells you that your files have been “locked” and the only way to unlock them is to transfer several hundred dollars’ worth of Bitcoin to the keyholder within a short period, maybe 48 hours.

It is, essentially, a kidnapping note — send us the money or you’ll never see your precious files again.

That, in a nutshell, is what it looks like to be the victim of an attack by “ransomware,” a type of computer virus that prevents users from accessing their files. Once a computer is infected, such viruses are difficult to remove except by the hackers who placed it there. The hackers, of course, demand a ransom to unlock the files. The amounts of the demands vary, but they are often in the range of several hundred dollars, manageable enough to encourage the victim to just pay up rather than try to fight back.

It’s impossible to know how many companies are targeted by ransomware attacks each year, but computer security experts have little doubt that the number is growing as hackers have found the tactic successful. Experts also caution that lawyers, whose files usually contain troves of highly sensitive information, are uniquely at risk of being targeted.

“It’s been going on the last few years, but it’s become a very easy way for the criminal, I think, to make money,” said Ron Kiefer, an Atlanta-based senior vice president of Risk Placement Services, which offers network security and cyber-insurance. “It’s very easy pickings for them because there’s not a lot of effort they have to extend on their part and there are a lot of unwitting victims out there who will pay the ransom. And I think that’s why there’s been a proliferation of this. There are now actually organized crime syndicates behind this.”

The evolution of a virus

Ransomware differs from more traditional forms of cyber-attack where hackers attempt to steal a user’s data in order to use it for their own financial benefit. The problem with such hacks is that they’re usually swiftly detected and the target can often quickly make the stolen information obsolete, for instance, by canceling compromised credit cards and issuing new ones to customers. Ransomware schemes obviate that problem by making computer files inaccessible and then extorting money in exchange for restoring the target’s access to their own data.

Sometimes hackers try to make it appear as if a target’s files have been locked by a legitimate law enforcement agency such as the Federal Bureau of Investigation. The user will receive a message claiming that illegal content has been discovered on their computer and that the user will need to pay a fine in order to unlock their data. But often hackers don’t even bother with the pretense of trying to dupe victims into thinking the attack is anything other than the extortion racket that it is.

Although the ransoms requested are generally not astronomical, such attacks still create many problems for the companies targeted, not least of all the downtime endured while they’re locked out of their computer files. Attacks usually originate from outside the United States and often demand payments in “cryptocurrencies” such as Bitcoin, since this makes them untraceable to law enforcement. Sometimes victims pay the ransom but still never get their data back — or, if they don’t upgrade their defenses, get hit again by the same hackers a few months later.

The more valuable the locked-up data is to its rightful owner, the more attractive a target the owner of the data becomes to ransomware hackers. That puts law firms particularly at risk to such hacks, and the relatively small ransom sizes mean that small law firms can be just as viable a target as large ones. In fact, small firms can actually be more at risk than big ones because they usually have fewer resources to devote to IT support.

“The perception used to be that smaller law firms weren’t the targets, but lots of the clients that we see are smaller law firms, so we’re seeing those too,” said Adam Pierce, director of property and casualty operations for Lawyers Insurance Agency. “Almost any law firm will have the personal information of anyone they work with, so any hack could turn into a big thing for them. The FBI actually issued a specific warning that law firms could be a significant target because of the sensitive information they have.”

Barbarians at the gate

Security experts say that prevention is the best medicine and there are many things law firms can do to protect themselves against ransomware attacks, largely steps that firms should be taking anyway to protect themselves from all types of computer viruses. The most important is to keep all data stored in three places — on the primary computer, in the cloud and on some sort of external hard drive — and automatically backed up every night. Ransomware viruses are much easier to deal with when the affected files can be quickly recovered from another source.

Common sense and properly training all employees is also invaluable. Like other viruses, ransomware typically infects a computer via an attachment in an email. Employees should be able to recognize suspicious emails and avoid opening attachments that aren’t from a reliable source. The experts also strongly recommended that all software be kept up to date with all the latest anti-virus protection, including programs like Adobe, which often receive patches to protect against the latest viruses.

“There are ways that companies can put intrusion detection systems or some kind of firewall around their information that would make [ransomware attacks] much more difficult,” said Tamla Tymus, a Durham, N.C., attorney and expert in cybersecurity. “It’s just like a burglar. If there are 10 houses on the street and nine with ADT signs, they’re going to go after the one without an ADT sign. They hop around and try to find the systems that don’t have that.”

One thing that all the experts agreed on is that if a law firm does end up on the receiving end of a ransomware attack, it should immediately report the attack to law enforcement, starting with the FBI’s Cyber Crime division. In North Carolina, state law also requires companies to provide timely notice to anyone whose personal information is compromised by a security breach, although notice may be delayed if law enforcement determines that it would impede an ongoing investigation.

Kiefer strongly discouraged law firms from paying the ransoms demanded and recommended bringing in outside IT help to try to recover the data — a law firm without an in-house IT department typically won’t be able to recover the data on its own.

“Using commonsense in avoiding getting infected by the ransomware is critical,” Kiefer said. “Once you’re infected it’s tough to get rid of, it’s expensive to get rid of, and you have a lot of down time in your business while you get rid of it.”