Will Your Firm Survive the Next Ransomware Attack?
We hope you read our warnings about Kidnapped Computers and the new wave of highly sophisticated computer viruses.
If you didn’t, here’s a run-down of the latest mayhem, and steps you can take to protect your practice.
If you weren’t worried before: here’s one more sign that ransomware is getting more sophisticated, powerful, and in general approaching super-villain status.
Last week the world met WannaCry, a ransomware worm that has shut down at least 200,000 computers in 150 countries (when you stop crying, you can start making hippie metaphors about our global connectivity).
Most ransomware attacks we’ve seen in the past begin with ‘phishing’ — users receive a seemingly-innocuous email, often appearing to come from someone they know. If they make the mistake of clicking its link, it could block access to their docs, demanding that they pay $300 in bitcoin to get them back, with the fee increasing after 7 days. If they don’t pay, their files are destroyed (and of course, even if they do pay, there are no guarantees)
It appears so far that WannaCry was not a phishing attempt, though we’ll have to let the tech experts riddle this out in the coming days.
Rumor has it that the kidnappers behind WannaCry have not been returning files after the ransom payment — perhaps because the worm was accidentally released too quickly, before the hackers had figured out what they were going to do once they brought the world to their knees. It’s also likely the extortioners won’t ever see the somewhat modest bitcoin sums they’ve wrung out of frantic computer-owners and companies – worldwide scrutiny on this case could make them too afraid to leave that trace.
Who are WannaCry’s greatest victims? Users with older Windows software. Many of the computers attacked in institutions and companies were the less important units that weren’t deemed worthy of an update (insert platitude about only being as strong as our weakest link here). But it also devastated computers controlling activities so crucial no one wanted to risk stopping and rebooting them for updates — which is perhaps why we’re hearing so many reports from hospitals, including frozen MRI scanners and blood-storage refrigerators.
Some more juicy facts about this cyberweapon: it appears to have been stolen from an NSA stockpile of potential hack-attacks. Microsoft is seething, comparing the whole thing to a rogue actor stealing Tomahawk missiles from the U.S. Government.
Due to the fast acting and good luck of 22-year-old malware tech Marcus Hutchins (whose avatar is an adorable cat with glasses), the spread of the virus was stymied — for now. Users in the U.S. should be especially grateful to whoever is behind that bifocaled cat, because MalwareTech’s fast moves are likely responsible for WannaCry’s failure to spread much within the U.S.
Even still, as of this writing, ransomware is infecting new computers at a rate of once per second. And in the wake of WannaCry comes a host of copycat worms and fake decoders, meaning we have a long way yet until this worm’s buried.
The silver lining of this wormhole: it appears WannaCry could have been released early and accidentally. That means it wasn’t as sophisticated and powerful as it could have been. And it didn’t go after the meatiest targets, but appears to have been a random release. Fortunately: no nuclear power plants, dams, or railways were shut down. And it doesn’t seem like many law firms were harmed in the epidemic.
That also means it’s a great warning shot for those of us who haven’t gotten our sh*t together yet.
Russian officials, who got hit hard by WannaCry, called the attack “an alarming signal, and not just a signal but a direct threat to the normal functioning of society, and important life-support systems.” Another bemoaned: “I cannot exclude that the main task consists now of frightening the whole world. [. . .] The attacks hit hospitals, railroad transport, and police. Over these days, the world got a serious warning.”
WannaCry’s Warning: This is Only the Beginning
With a built-in kill switch, no apparent big target, and ransom price as small as $300, WannaCry was much weaker than it could have been. And even still it was catastrophic. Ransomware like this is especially dire for places like law firms, which have extremely sensitive and necessary information on their computers.
Attorneys are often targets of ‘spear phishing attacks’ — well-researched, sophisticated, and focused attacks on targets that are usually willing to pay big bucks to get their files back. We don’t entirely know how deep this problem goes, since most firms try to security crises quiet. But some news has leaked out about successful law firm hacks. The Wall Street Journal revealed that successful attacks probably hit big firms like Cravath, Swaine & Moore, as well as Weil, Gotshall & Manges. The clients of these big firms are some of the world’s biggest companies. Later investigation tied the theft of this information back to the Chinese government.
But it isn’t just the big firms that need to worry. Just last year a Rhode Island firm was infected with ransomware that shut down its computers for three months. The firm wound up paying $25,000 in bitcoin ransom and losing around $700,000 in lost productivity. (We know about this attack because the firm subsequently sued their insurers to cover all those expenses).
There’s even a new area of class-action lawsuit emerging from lax attorney cybersecurity. Attorney Jay Edelson recently initiated the first public data security class action complaint, directed at the Chicago law firm Johnson & Bell. Edelson is targeting fifteen other firms for weak cybersecurity, in class-action lawsuits on behalf of the others firms’ clients or former clients.
Insurance broker Ames & Gough revealed that cyber-related malpractice claims are on the rise, leading to more claims on Professional Liability Insurance. There are new stand-alone cyber liability policies that cover “regulatory reporting requirements, internal costs to repair the firm’s systems, reputational costs, business interruption, and any damage to first-party data.” They’re likely not alone in focusing on this new area of liability: the stakes are only going to grow in the future.
What Can You Do?
Here’s the moment where we try to clear away anxieties with a list of good practices to keep yourself from WannaCry and its ilk, along with the cost, demoralization, and malpractice lawsuits they threaten.
You don’t need to return to typewriters. You don’t even need to dust out the file room and go back to a paper-heavy practice. But you do need to regularly update your software programs, keep good anti-malware software, and regularly back up all of your documents (this last piece is easiest if you’re already in the Cloud, with a secure, trusted case management platform like Filevine).
Also: create a strong culture of cyber-hygiene in your firm. It doesn’t matter how shrewd you are if Dale down the hall still believes a Nigerian prince needs his help. Create a norm of double-checking emails that could be suspicious — or better yet, begin moving away from email entirely.
Stay Alert for More Attacks, in New Forms:
Following all of these cybersecurity recommendations are necessary and good. But lest it give us the illusion that we’re in control, here’s another warning: some tech experts believe tips like these are useless in the realm of the Internet of Things. In order to not leave this on too cheery a note, I’ll let Bruce Schneier have the last word:
Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.
It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.