While journalists are calling 2016 the “Year of Ransomware,” more and more users are blindsided by that stomach-lurching pop-up note announcing that every file on your computer is now encrypted and held for ransom. This post explains what ransomware is, why cybercriminals are targeting law firms, and how you can avoid the pestilential pop-up.
A Bad Day in Tulsa
When the note popped up on Grayson Barnes’ screen he had only recently begun working at his father’s law firm in Tulsa, Oklahoma. He knew he’d have a steep learning curve, but didn’t expect that his early lessons would include negotiating with cyberpirates.
Now he was told he had five days to pay up $500 in Bitcoin, or lose all of his files forever.
Barnes told TIME the stakes for him were high: “It wasn’t just a day’s worth of work. It was the entire library of documents.”
So as one would do in any kidnapping or robbery case, Barnes called in the Law. But shrugs and condolences were all he got, both from the local police and the FBI. Cybercriminals could live anywhere — the Heat often can’t even figure out which country they’re working out of, let alone track them down and lodge a successful prosecution. What’s worse, they informed Barnes that even if he paid up the $500, there wasn’t any guarantee he’d get his files back.
After two days and a run through the seven stages of ransomware-grief (shock, expletives, denial, anger, depression, more expletives, and finally, acceptance), Barnes’ firm paid up, and the pirates got what they wanted.
The ‘Cyber Pearl Harbor’
Grayson Barnes of Tulsa, Oklahoma is not alone. Despite advances in cyber-security, attacks are growing, and moving from personal users to some of the biggest businesses. Former Secretary of Defense Leon Panetta went so far as to warn that the open frontier of the internet could spawn a “cyber Pearl Harbor.”
But this is setting out to be the year of the law-firm hackers, and not just because of the massive Panama Papers leak from law firm Mossack Fonseca. Hackers less interested in whistleblowing are digging into the weakly-guarded treasure troves of information held in firm computers. In February, the underground Russian website DarkMoney.cc posted a have-gun-will-travel advertisement from a cybertheft specialist, who identified specific law firms as potential targets. Similar attacks hit home on some of the country’s most prestigious law firms, such as Cavath Swaine & Moore LLP and Weil Gotshall & Manges LLP, which represent Wall Street banks and Fortune 500 companies.
This isn’t the first time law firms have been poached by cybercriminals. As early as 2009, the FBI issued an alert to law firms that they were being targeted for cybercrime. When law firms failed to protect themselves adequately, in November of 2011, the FBI invited 200 of the largest law firms to a meeting in New York to discuss the urgency of their concern that sophisticated cyberattacks targeting law firms were only going to increase.
Now the Bureau is investigating a series of hacks that have bested some of the nation’s most prestigious law firms. And according to the Wall Street Journal, the whole racket is only “picking up steam.”
Senior partners at top law firms anonymously report a veritable deluge of phishing emails attempting to crack their systems. Phishing is an attempt to hook sensitive information by sending an email that appears to come from a trustworthy source. But this isn’t a poorly-edited money-transfer plea from Nigeria: these are well-researched, carefully-crafted email messages, often targeting a high-level member of the firm. In crime-fighter speak they’re ‘advanced persistent threats,’ or APT. What it means is that even careful readers of emails can find themselves fooled into opening malware.
Such sophisticated attacks were used against Los Angeles law firm Gipson, Hoffman & Pancione. The firm revealed that they had received emails targeting members of the law firm that appeared to come from other specific individuals in the firm. (This attack, which forensic specialists believe originated in China, happened to come after the firm filed a $2.2 billion copyright infringement suit against the People’s Republic of China.)
In these information-gathering attacks, it can be difficult to pinpoint exactly what was stolen, as hackers often squirrel away huge amounts of information and decide later on what they can use. But the really juicy secrets that make a hacker salivate come from firms specializing in patents and intellectual property law. These secrets can then be used for insider trading, as information from patents in process or details about upcoming mergers and acquisition can be used to game the stock market.
But another cybercrime danger threatens law firms of all sizes and specialities: ransomware.
The Rise of the Bitcoin Extorters
Around the world, dozens of law firms have recently been held to ransom by escalating cyber attacks.
It begins first with an infection from a nasty download or bad app. Ransomware comes in two flavors: ‘locker’ and ‘crypto.’ A locker virus doesn’t affect users’ data, but cuts off their access on their device. Crypto viruses don’t affect the user’s access, but encrypt each file into a hopeless scramble until the encryption key is purchased with the ransom.
The price to get your files back depends on the hacker, but is usually set around $500, and is typically demanded in hard-to-track bitcoin. Corporations and law firms, however, typically face higher prices, as hackers are aware of the urgency they’ll feel to get their files. A 434-bed hospital, reduced by cybercriminals to keeping records with pen and paper, paid a ransom of 40 bitcoins — or about $17,000 — to recover its files.
A University of Kent survey found that some viruses boast a ‘success rate’ of over 40%, meaning that over a third of its victims pay the ransom, making tens of millions for the cybercriminals who use it. Hackers are earning more than $70,000 a month on these attacks, and like any lucrative business, it’s on the rise. In the second quarter of 2015 alone there were over 4 million cases of ransomware. Symantec estimates 250% increases in new ransomware, explaining how it’s development is now mimicking conventional software, with engineers, manufacturers, retailers and consumers.
Law firms are feeling the sting. This spring, Thomas Brown of the Brown Firm in Florida admitted to paying $2500 in bitcoin to release their documents from ransomware. In an even sadder story, the U.S. law firm Goodson admitted in 2014 that its entire server had been prey to ransomware (a popular one called Cryptolocker). After trying to disable the infection, they finally attempted to pay a $300 ransom. But it was too late. Every file was lost.
Protecting Yourself and Your Clients
In these dire situations, what’s an attorney to do?
While everyone wants to avoid cybercriminals, attorneys have an additional responsibility to fend them off from getting access to clients’ files. ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
What this means varies by state. In California, the Bar determined: “An attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.”
What do basic protections look like? Oh, just the things that most firms lack, according to a 2011 ILTA Technology Survey. They found:
- 86% do not use or require two factor identification
- 78% do not issue encrypted USB drives
- 76% do not automatically encrypt content-based emails
- 58% do not encrypt laptops
- 87% do not employ any laptop tracking technology
- 61% have no intrusion detection tools
- 64% have no intrusion prevention tools
- 94% don’t bother to track the smart phones that are used for professional work.
The most recent survey shows these numbers have been receding, but at a slow rate. There are still plenty of low-hanging fruit for cybercriminals interested in targeting law firms.
“The bad and outdated attitudes that many attorneys have toward information security measures (and therefore necessarily, if unknowingly, their responsibility to protect confidential information) must be overcome. Many of these attitudes reflect one of the general characteristics of the legal profession: conservative by nature and slow to change habits and behavior. Lawyers, curiously enough given their profession, often dislike and are reluctant to abide by mandated rules or proscriptions. This is especially so if they do not adequately understand the particular proscriptions and the reasons behind them.”
In addition to robust spam-filtering services to block messages with viruses, pop-up blockers, and up-to-date software, law firms should invest in trainings on ransomware and how to avoid it. Most computer viruses come through a fraudulent email with a downloadable attachment. Often they appear to be from trusted brands like FedEx. About 23% of people open these messages, and more than 10% click on the attachment. Computers can also catch the bug by simply visiting a bad website or joining an infected network. Sites to watch out for are purveyors of porn and pirated movies and TV shows.
Personnel trainings will become more crucial as ransomware grows more sophisticated and targeted. As cybersecurity expert James Scott noted: “In Cybersecurity, people are considered the weakest link. They are also both the most abundant resource and the most susceptible target.”
What to do if you’re breached?
And if it’s too late? If you opened that email that seemed to be from Amtrak and too late discovered it was ransomware — what then?
Most security experts recommend not paying the ransom. Any money you give to the cybercriminals will be used to develop worse and more sophisticated attacks in the future. If you do pay, then you’re still not guaranteed to get your files back.
Of course, this advice is much easier to heed if you have your files backed up. Regular back-ups is the best way to dull the pain of cyberpirates. It’s even better if you use a secure cloud-based case management platform, (yes, like Filevine), so that even if the b**tards wreck your laptop, your files can be safely accessed from an uninfected device.
After an attack, you also need to consider your ethical duties to disclose a data breach. Some cyberattacks are focused on gathering data, while others might never access that information, but simply block your ability to get to it until you pay the ransom. This is why the majority of ransomware attacks remain unreported, as firms fear losing client confidence.
If you determine that data might have been leaked, you then need to navigate your state’s breach-notification laws. Some states have statutes to protect their residents’ ‘personally identifiable information.’ Nevada and Massachusetts became the first to pass these provisions, in 2008 and 2009 respectively. There are also special regulations on protecting information of people and entities in the EU.
Guidance can also be found in Bar Association opinions, like the one released by the New York City Bar Association last year, clarifying that attorneys must report hacking and other information breaches. They wrote that clients must be informed that their interests might be at risk, and it doesn’t violate attorney ethical obligations to report cyberfraud to enforcement authorities.
Firms working with healthcare entities have additional requirements to consider with the HIPAA data security and privacy regulations (in January 2013, amendments to the regulations expanded the definition of “business associate” to include law firms with “covered entities” as clients).
Journalist Michael Hiltzik worries “the awful truth may be that ransomware is here to stay.” Law firms don’t have much time to get their members trained, put in protections, and get their work up securely on the cloud.