Ed. Remark: Today we are pleased to publish the first in a new series of articles, Cybersecurity: Advice from the trenches, by our friends at Sensei Enterprises, a boutique provider of IT, cybersecurity and digital forensics services.
The good old days of ransomware
Yes, there really was âthe good old days of ransomwareâ. We call it Ransomware Version 1.0. The ransomware “landed” on your network, encrypted your data, and presented a ransom for the decryption key that would decrypt your data. Fairly innocent times compared to version 2.0 of Ransomware, which preceded the pandemic, but then flourished as lawyers flew home to unsecured home networks in March 2020.
The Devil Who is Ransomware Version 2.0
Ransomware gangs have figured out that two ransoms are better than one. So now ransomware attacks steal your data before encrypting your network. If you have truly built a resilient network, you may be able to recover without paying the ransom. On the flip side, there can be so much downtime and lost productivity that you decide to pay anyway, especially if the payment is picked up by your cyber insurance company.
Relatively recently, attacks include finding and destroying all network-connected backups, as well as disabling or ultimately running the very software you are using to detect a ransomware attack.
But even if you don’t pay the first ransom note, most companies get a second ransom note for (you hope but may never know) destroy your data. In the meantime, they may disclose some of your confidential data online on a “ransomware wall of shame” or alert reporters of the breach to trick you into paying the ransom and confirm they are in possession of the data.
A small ray of light and an ominous warning
Cybersecurity firm Coveware announced at the end of the third quarter of this year that the average payment for ransomware remained at $ 140,000, the same as last quarter.
But here’s the disclaimer law firms should note:
Coveware claims that small and medium-sized professional services companies, especially law firms and financial services firms, are most vulnerable to ransomware attacks due to their lack of cybersecurity preparedness, apparently because they think they are too small to target.
This thought has always been wrong, but it is even more so now. Why? Because governments and law enforcement are putting enormous pressure on ransomware gangs. These efforts have intensified since the attack on the colonial pipeline in the spring of 2021.
Coveware says, âWe have seen statistical evidence and intelligence showing that ransomware actors are trying to avoid larger targets that may elicit a national political or police response. This shift from “big game hunting” to “middle game hunting” is personified both in the ransom amount statistics but also in the victim size demographics for the quarter.
In other words, ransomware gangs can avoid attacking the AmLaw 100, but not medium-sized companies who still hold very valuable data.
As ransomware gangs move from big game to midsize game, what should a law firm do?
The answer would require much more space than an article can provide. But follow the tips below and you’ll have a good start!
1. Enable 2FA (two-factor authentication) wherever you can. It will stop 99.9% of all credential-based takeover attacks. Microsoft and Google are starting to enforce the use of 2FA for all users. This should tell you something. And while you’re at it, start exploring the Zero Trust Architecture, which completely abandons the outdated notion of protecting the perimeter of a law firm and adopts a mantra of ânever trust, always verifyâ.
2. Get Endpoint Discovery and Response (EDR) protection for all devices on your network. This solution will monitor behavior indicating malware or the existence of an attack.
3. Have multiple backups, test them often, and always have at least one isolated backup so that it cannot be encrypted or destroyed!
4. Apply updates and fixes quickly – if you’re worried they might âbreakâ something, have a third party test them before you apply them (some companies sell this service for a reasonable price).
5. Check or disable network services, especially those that are not needed. Do not use the remote desktop protocol.
6. Limit privileged access and deploy a privileged access management solution.
7. Conduct cybersecurity awareness training for employees at least once a year – twice is better – intermittent reminders of phishing, social engineering, etc. are useful – as well as phishing simulations.
8. One of the best resources available (and written in plain English) is the one-stop-shop CISA website.
9. Purchase a cyber insurance policy, but beware. Costs increase while coverage decreases. Cyber ââinsurance claims take much longer and most law firms are unable to give insurers the cybersecurity guarantees they want.
10. Have (or develop) a comprehensive Incident Response Plan (IRP) to avoid panic and errors if you experience a ransomware attack. Train on the plane – at least use tabletop exercises, adding and subtracting things, that is, the managing partner climbs a mountain and is unreachable, the electronic grid has fallen , your employees publicized the violation on social media – as you might imagine, there is a long list of possible complications. But not having an IRP at all (and most small and medium-sized businesses don’t) is unforgivable and probably unethical given your duty to reasonably protect companies’ confidential data. By all means, make sure that the IRP is stored somewhere (paper or electronic) that the ransomware cannot encrypt and make it inaccessible.
Final words
There is no âfix and forgetâ when it comes to cybersecurity. We will come back every month with more data and adviceâ¦.
Sharon D. Nelson (snelson@senseient.com) is a practicing lawyer and President of Sensei Enterprises, Inc. She has served as President of the Virginia State Bar, the Fairfax Bar Association, and the Fairfax Law Foundation. She is the co-author of 18 books published by the ABA.
John W. Simek (jsimek@senseient.com) is Vice President of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Renowned Expert in the field of digital forensics. . He and Sharon provide legal technology, cybersecurity and digital forensics services from their firm in Fairfax, Virginia.
Michael C. Maschke (mmaschke@senseient.com) is the CEO / Director of Cyber ââSecurity and Digital Forensics at Sensei Enterprises, Inc. He is an EnCase Certified Examiner, Certified Computer Examiner (CCE # 744), Ethical Hacker Certified and a Certified AccessData Examiner. He is also a Certified Information Systems Security Professional.