Gone are the days when a regular backup will cover your firm’s files and protect sensitive data and clients' privacy. As technology advances, hackers become more savvy to match, and it is becoming dangerous not to have the latest in security protection for your firm’s hardware. In the year 2016, using 1999 backup protection does not suffice.
Many law firms do not regularly monitor backups, leaving the responsibility wholly to a sole IT professional or staff member. Partners and attorneys do not understand what the process involves, nor do they know what to do if files suddenly become encrypted and locked, as is the case in a ransomware attack.
Data encryption, while a positive security step, can be a law firm’s nightmare if it comes in the form of a ransomware breach. Ransomware locks a law firm’s network, encrypting files and preventing access unless a ransom is paid to the hackers. The ethical dilemma of whether to pay the individuals holding your firm’s data for ransom is a situation no attorney ever wants to contemplate. And, even if the ransom is paid, there are no guarantees any of the data will be released by the key provided.
Ransomware is a genuine threat, and to prevent it from happening to your firm you need to take preventative steps. Once the system is locked, there are very few options to salvage data and/or your reputation if word of the attack reaches clients.
It is an attorney’s duty to protect all information provided to them by clients. Prevention is the best policy when anticipating the possibility of a ransomware attack.
What forms of ransomware are there?
Multitudinous ransomware programs — or families, much like organized crime — exist and originate from all over the world. While this kind of computer hijacking mostly occurred in European countries in its infancy, it is rapidly spreading to the rest of world.
There are over 35 different kinds of ransomware making the rounds online. Each family of the highjack tool has its own built-in differences that make it unique from other programs. Although some refer to ransomware as a virus, it is not per se, which means the usual antivirus software does not catch it. Malwarebytes or SpyHunter may stop attacks, and there are also other solutions that purport to stop ransomware before it can infect a computer.
The most fearsome family of malware is the Cryptowall family. It is particularly insidious because it appears to be innocent until someone clicks on the wrong thing and it deploys.
This type of ransomware sends attachments that appear to be legitimate files. Someone may open an attachment they believe is an invoice, business document or file from another law firm, which lets Cryptowall out of the bag. Once the ransomware has been deployed, it encrypts your law firm’s data, including data on all mapped drives.
Cryptowall takes no prisoners. If your firm has mirrored drives or backup drives on the network via a server or USB port, the files on these devices will also be affected. This is one moment when having an IT expert may or may not help. The latest iteration of Cryptowall is even able to scramble the file names of all encrypted files, leaving you to wonder where to even start the cleanup.
Anti-virus software is not a defense in this case. The latest Cryptowall is not easily detected, and it finds and erases restore points. Going back to a time prior to being locked out is no longer a viable option.
The Cryptowall family is designed to work on all versions of Windows, including Windows 7 and 8, Vista and XP by using RSA2048 encryption. Once unleashed in a computer, the damage is done and users receive a message similar to the following:
"Decrypt service Your files are encrypted. To get the key to decrypt files you have to pay 500 USD/EUR. If payments is not made before [date] the cost of decrypting files will increase 2 times and will be 1000 USD/EUR Prior to increasing the amount left: [count down timer] We are present (sic) a special software — CryptoWall Decrypter — which is allow (sic) to decrypt and return control to all your encrypted files."
A law firm these days needs full, in-depth backups stored in secure cloud storage or on serial disconnected drives on the network that are rotated off-site. How often should your firm backup the files? For some, it might be a weekly duty. For others, it may need to be done daily. Keep this rule of thumb in mind when figuring out how often data needs to be backed up: How hard would it be to re-create locked, lost information?
How are these programs spread?
Cryptowall and other members of similar malware families are spread in the most innocuous ways possible, via very cleverly crafted spoof emails and by malicious websites (not always caught by a malware program). In other words, it is spread by the very things that we all expect to receive from friends and possibly clients.
The malware email is typically worded in such a way that the person to whom it was sent does not think to question its authenticity. The email usually appears to be sent by someone known to the victim of the attack, saying they are sending something they asked for. Attached will be a ZIP file, which does not appear to be a threat. When the attachment is opened, in mere seconds all data becomes encrypted and inaccessible. In an office, not just one computer will be affected — it will spread through the whole office network (cable or Wi-Fi) right back to its servers and the data on them.
More concerning is the other mode of delivery for ransomware: via fake updates for applications such as Adobe Reader, Flash Player or the Java Runtime Environment. These updates may show up in pop-up windows on an unsafe website, or if a Potentially Unwanted Program (PUM) is installed on your computer. Spoof websites are also a source of ransomware infection. A spoof website can be a bank website, joke website, quote of the day website or free music or picture download site. Admittedly, attorneys working in an office may not be surfing the web for such sites, but a friend may send them a link to such a site and once clicked on, the damage is done.
How do Cryptowall and other such malware programs work?
There is a sort of beauty to the simplicity of the methods these programs use to lock a computer. The ability to encrypt data is resident on virtually any device. Normally, you may encrypt your own documents safely with your own key, and may access them later.
These malware programs take over, perform the encryption and keep the key. There is no way to open them without the key. What is even worse is that these programs also encrypt any backups because most are attached to the system.
Ransomware does not just encrypt data, it also gifts the computer system it has infected with several files in directories where it has the encrypted data. Those files may look like: DECRYPT_INSTRUCTION.txt, DECRYPT_INSTRUCTION.html and DECRYPT_INSTRUCTION.url
Another form of ransomware can lock the screen only. It displays an image or notification that says users/victims may no longer use their system, and provides instructions on how to pay the ransom.
What you can do if your law firm computer is infected
The instant you see the demand for payment, turn the computer off and remove the network cable. Then call an IT professional immediately. In most instances, the prognosis is grim — it may result in the whole office’s network and servers having to be rebuilt or replaced.
According to some malware hunters, such as SpyHunter by Enigma Software, ransomware can be detected and removed. In SpyHunter’s case, the tool to check is free, but if ransomware is detected, you have to buy SpyHunter’s removal tool and recover all files from an external backup. Ransomware is a very real threat to law firms. Do not assume you are not going to be hit. Be proactive and avoid the experience. It is not worth playing Russian roulette when your whole computer system and reputation is at stake.