The Impact of Ransomware on Law Firms
Ransomware is a rapidly growing threat for everyone in business and one that could be especially damaging for the law firm. Over the past year we have seen some of the biggest ransomware attacks ever mounted including WannaCry, NotPetya and Bad Rabbit, to name but three. Huge sums of money have been paid over to ransomware attackers and there is an ever-growing pressure on businesses of all kinds to ensure that information and client data is kept safe.
However, for the law firm, it is not simply the potential cost of paying a ransom that is the problem. A law firm that is locked out of its IT for even a short period of time could soon find that it is unable to meet important client deadlines, complete on purchases or pursue court cases. The implications could be catastrophic – a fact which will not have escaped those cybercriminals keen to exploit vulnerabilities in law firms who think that it will never happen to them.
Ransomware is becoming one of the main threats to digital business around the world. According to Cisco 49% of businesses reported at least one cyber attack in 2016, of which 39% were ransomware attacks. The US alone recorded a 300% rise in ransomware attacks between 2015 to 2016.
What is more – no one is immune – from small businesses to large ones; from government organisations to health trusts – all are regarded as fair game by the ransomers. A sobering statistic is that somewhere, a company is hit with ransomware demand every 40 seconds.
Moreover, in a regulated sector such as the law, being hit by a ransomware attack simply because adequate steps have not been taken to protect the firm’s security could leave the firm subject to disciplinary sanctions and negligence claims from clients.
What is Ransomware?
Ransomware is a type of malware that prevents the target victim from accessing files or data on their computer or network until such time as a ransom has been paid.
Basically, there are two main ways in which ransomware works – encryption and locking.
With encryption, the ransomware encrypts files so that the user cannot read them or access them until a ransom has been paid when, in theory, a decryption key will be supplied to the victim which will decrypt the files thus letting the user access them again. Examples of this kind of ransomware have included CryptoLocker, TeslaCrypt, Locky, CrytpoWall and others.
Locking, on the other hand, acts so as to lock the user out of their equipment until such time as a ransom is paid. This can operate at the level of the windows access level or can affect what is known as the master boot record thus preventing the operating system from even booting up. In either case, users are unable to use their systems until such time as the ransom is paid. Examples of this include the Winlocker, Reveton, Satana and Petya.
Crypto-ransomware, as encryptors are usually known, is the most widespread and is most likely to be encountered by businesses. Usually, the ransomware will encrypt the files in such a way that they cannot be decrypted without a decryption key. What is more, they will often attack many different types of files including documents, data files, images, videos and audio files. Encryptors can even scramble file names with the result that the victim is even unable know which files have been encrypted.
Normally, once the victim has been infected they will receive a message telling them that their data has been encrypted and requesting a payment, usually in the form of Bitcoins (which cannot be tracked by law enforcement agencies), to be made. There may even be a time-limit placed upon the payment to put the victim under pressure to make the payment. Ignoring the time limit can result either in an increase in the ransom or the destruction of the affected files.
Why is Ransomware Such a Problem for Law Firms?
Although ransomware is a problem for all businesses, the very nature of the work that law firms do and the way in which they need to do it makes them an especially vulnerable target. Factor into that equation the reluctance of many law firms to believe that they will ever be affected and the low level of resources that many have to be able to address security issues and it will quickly be seen that for law firms, ransomware attacks are a disaster simply waiting to happen.
Take for example the attack on DLA Piper in June of this year. They, like many other businesses in the world, were attacked by the Petya malware and as a result, the entire firm was locked down across the world, unable to access phones, emails and other forms of communications. 3,600 lawyers in 40 countries were affected. They were without phones for a whole day, without email for six days and it took them almost two weeks to regain access to many of their documents and files. How would you and your clients fare were such a scenario to pan out within your firm? What would be the potential losses you might incur? Would you know what to do in the minutes following the attack?
Ransomware attacks move very fast. When the Wannacry ransom attack took place in May, it was reported to have infected more than 200,000 computers in over 150 countries in a span of just 24 hours. There is no way, therefore, that you are going to be able to prevent such an attack once it has started. Most ransomware attacks take from about 20 seconds through to a few minutes to attack a system or device.
With so little time to react before ransomware has taken hold, the only strategy that firms can take is one of avoidance – encouraging safe behaviours to avoid ransomware striking in the first place. Steps such as better user education and phishing awareness are one way to reduce the ransomware risk. That, however, will not completely eliminate the threat and firms must adopt other strategies such as firewalls, adequate backups and the protection of their end-points – all of which we will cover shortly.
Why has Ransomware Come to the Fore?
As computers developed, so did cybercrime. Initially, many attacks were carried out by those who simply wanted to show they could hack into other computers and networks or by those who wanted, possibly for ideological or political reasons, to cause disruption and notoriety. The image of the disillusioned but gifted teenager sat in his/her bedroom hacking into military and government websites grew and as a result, hacking and cybercrime were not taken as seriously as they should have been.
However, things have now moved on. The new breed of cybercriminal is someone who is doing it for profit, or because they have been paid to cause damage to a business. The proliferators of ransomware come within this category and ransomware is almost exclusively malware that is developed for profit.
What is more, ransomware is not only here to stay – it is likely to become an ever-greater problem. Every day new variants are being developed and, with large numbers of potential victims still not taking steps to prevent an attack cybercriminals are going to continue to use ransomware as a means of extorting money.
Indeed, ransomware is itself becoming a business with a growing market for RAAS – Ransomware As A Service. Thus, cybercriminals wanting to carry out a ransomware attack can now go to the dark web and find malware creators who are prepared to sell their services in return for a share of the profit. Some even collect the money, deduct their share and send the rest on to the perpetrator.
The simple fact is that lack of vigilance on the part of the cyber community is allowing ransomware to proliferate and it would almost certainly be far less of a problem if users were more careful. Not that lack of vigilance is the sole preserve of smaller businesses – although they are a regular target. Many cybercriminals have realised that businesses – especially those who do not have the resources to upgrade their IT systems – make lucrative targets. Unfortunately for many law firms, they fall fairly and squarely within that definition.
What is more, the ransoms that businesses are prepared to pay are growing. Reports indicate that of those businesses infected in the past year, 70% have opted to pay the ransom with half paying between $10,000 and $40,000.
It is fairly safe to assume that as more and more cybercriminals become involved in ransomware so they will start to look at ever smaller businesses to hit.
Is your Firm Likely to be Affected by Ransomware?
The simple answer to the question is probably yes, you will be affected – if not directly then certainly indirectly as a result of not being able to deal with another business that has been hit.
The first point to bear in mind is that on the whole cybercriminals like to take the easy route and if they think that your firm, or the sector in which your firm operates, is a potentially lucrative target and that protections are scarce or even non-existent, then they are going to attempt to attack your business. Many law firms are small, have limited IT resources, possibly do not understand what they should be doing to protect the firm from attack and yet could be handing many millions of pounds worth of client funds or be engaged in time-sensitive litigation or business deals where a delay of a few hours could make or break a transaction. Who better to target?
How, for example, would your firm respond to a ransomware attack on a Friday morning just as completions were about to start to take place. If you were locked out of your system how quickly would you be willing to pay a ransom? Even if it were not your firm but another firm involved in a chain of transactions that was attacked, how would you protect the interests of your client? What contingency measures do you have in place? How would you implement them?
How Does Ransomware Attack a System?
One of the most common means by which a ransomware attack can take place is through an email that has a link to malicious software or infected attachments. Spam email has a great advantage, from the criminal’s point of view, in that it is cheap to send and can be sent to a large number of potential victims in the hope that one of them will follow a link or open an attachment. Email addresses can be purchased in large numbers on the black web, and even a strike rate of less than 0.1% can still net the criminal a substantial return.
Cyber attacks can also occur indirectly. here the perpetrator of the attack first attacks a legitimate website and inserts malicious code into its pages. The result is that anyone visiting that site, which they may have assumed is a “safe site” becomes infected with the ransomware. This could, therefore, be used a means to target a potentially lucrative sector – even one which has reasonably high levels of security. Pick a popular but vulnerable site, infect it and wait for unsuspecting targets to come along.
A further method which is regularly used is the so-called “drive-by download” – that is to say, a download that happens when visiting a website, viewing an e-mail message or by clicking on a pop-up window that is, for example, masquerading as an error message. Also, there is malvertising – the practice of injecting malicious or malware-laden advertisements into legitimate online advertising networks and web pages. Ransomware can even be spread by SMS messages sent to mobile devices and from one infected computer to another.
Something which it is worth bearing in mind is that ransomware invariably uses evasion techniques to prevent it from being picked up by anti-virus programs. This means that simply because you have an anti-virus program on your device (and a large number of people still do not) does not mean that you are safe.
The Regulatory and Legal Implications of Ransomware
So, supposing that you are unlucky enough to be affected by a ransomware attack or, equally as worrying, unwittingly act as the disseminator of ransomware to others. Where does this leave you from a legal and regulatory position?
As a solicitor, you are subject to the provisions of the SRA Principles 2011 which provide, inter alia, that you act in the best interests of each client, provide a proper standard of service to your clients, run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles and protect client money and assets. Failing, therefore, to take all reasonable steps to prevent the firm from becoming subject to a ransomware (or indeed any other form of) attack would be a breach of those principles.
These are further backed up by the provisions of the SRA Code of Conduct 2011 which specifically state in Chapter 7 that:
- you identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook, if applicable to you, and take steps to address issues identified; Outcome O(7.3)
- you maintain systems and controls for monitoring the financial stability of your firm and risks to money and assets entrusted to you by clients and others, and you take steps to address issues identified; Outcome O(7.4)
- you comply with legislation applicable to your business, including anti-money laundering and data protection legislation; Outcome O(7.5)
There may also be confidentiality implications. If someone has hacked into your system then theoretically they may have accessed – and almost certainly will have tampered with – confidential client data. Outcome O(4.1) provides you “keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents” and at Outcome O(4.5) that “you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.” If you have not taken steps to prevent a malware breach of any sort then it is likely that you will be found to be in breach of these provisions.
Not that the SRA Code is the only regulations and legislation to which you are subject.
Businesses such as law firms that hold personal data as data controllers do so under the provisions of the Data Protection Act 1998 which provides in the seventh of the data protection principles that businesses have an obligation to take “appropriate technical and organisational measures” to guard against “unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Failing to take adequate steps to prevent the firm from becoming subject to a ransomware attack would in all probability be in breach of this principle especially if the attack could have been avoided by the use of up-to-date anti-virus software, adequate training, staff awareness, the use of firewalls or the operation of appropriate policies and procedures.
Indeed, inadequate staff training and organisational policies and controls is one of the most frequent reasons why the Information Commissioner’s Office imposes a monetary penalty and it has emphasised ransomware in its formal guidance document published in January 2016, “A Practical Guide to IT Security”, and emphasised the need for businesses to have a robust data backup strategy, so as to avoid disruption to the availability of personal data held and a potential breach of the Data Protection Act 1998.
Furthermore, if through your firm’s negligence or even collusion you become responsible for disseminating ransomware then you may find that you are caught by section 3 of the Computer Misuse Act 1990 which states that a crime is committed if a person “does any act which causes an unauthorised modification of the contents of any computer.” That offence carries a custodial sentence of up to 10 years. Likewise, if the dissemination is to the United States then it is likely that the Computer Fraud and Abuse Act will apply which can again result in as much as 10 years in prison.
Then there is the situation where you wish to pay the ransom. What is the implication of this?
Under English law, there is no prohibition on the payment of ransoms per se and there is no general duty to report ransom requests to the police. This is backed up by the judgment of Lord Justice Rix in the case of Masefield A.G. v. Amlin Corporate Member Limited  EWCA Civ 24, who commented that ‘there is no evidence of [ransom] payments being illegal anywhere in the world. This is despite the realisation that the payment of ransom, whatever it might achieve … itself encourages … the purposes of exacting more ransoms’.
So far as money laundering is concerned things are not quite so clear-cut. If a firm were to pay a ransom in the knowledge, or having a reasonable suspicion, that the money paid would be used for terrorist financing then this could constitute an offence under section 17 of the Terrorism Act 2000. However, it would have to be established that person paying the ransom had knowledge or a reasonable suspicion that the funds would or may be used for the purposes of terrorism. In the case of a ransomware attack, this would be unlikely since such attacks are generally perpetrated by unknown individuals and entities. So far as the Proceeds of Crime Act 2002 are concerned, however, it is likely that this would not be relevant since the payment of the ransom would not become the proceeds of a crime until such time as it has been received by the person carrying out the ransomware attack.
The Potential Impacts of a Ransomware Attack
Apart from the obvious problems of not being able to access your files, the cost of the time lost in dealing with the problem and the need to consider the payment of a ransom, what are the potential impacts of a ransomware attack?
First of all, there is the reputational impact that could cause long-lasting damage to your firm. Clients who become aware of the fact that you have been attacked – especially if it is because you have taken few if any precautions – are going to be less likely to have confidence in your firm in the future. Not only will you have to recover from the direct financial impacts of the attack, but also you are going to find it harder going forward to attract clients and therefore be less able to weather the financial difficulties.
Secondly, there is going to be reduced productivity immediately following the attack since manpower and resources will need to be diverted to dealing with the aftermath, additional repair costs will need to be absorbed and systems will need to be upgraded.
Thirdly there will inevitably be an impact on your workforce. Those involved in clearing up the problems that have arisen will find themselves having to work harder with greater demands being placed upon them. On the other hand, those whose jobs have been affected by the attack but who are not able to be utilised in clearing up the aftermath may find themselves on short-time working or even out of a job if the firm is unable to continue operating in a particular sector. Firms that use consultants may be unable to supervise or manage them or the consultants may have lost valuable files resulting in a loss to them which they may wish to seek recompense for from the firm affected.
There may be a human impact side to the attack as well. Individuals within the firm may have been put under pressure as a result of the attack – especially if they feel that they have in any way been responsible – and some ransomware attacks actually use threatening words and images to help coerce those attacked into making a payment quickly. Those directly involved can even become depressed and exhibit the symptoms of trauma.
Clients who have been affected by the attack may feel that the firm has been negligent in not making adequate provision and may wish to seek recompense for any loss they have incurred.
Regulatory action might follow if the SRA, for example, feels that the firm has been less than careful in how it deals with the potential problem of an attack.
Avoiding a Ransomware Attack
So what can be done to avoid a ransomware attack?
No one solution is going to be enough. Firms must be prepared to take a multi-faceted approach to the whole issue.
The first step is to accept that a ransomware attack might happen to your firm and to take that threat seriously. If such an attack does take place it is likely that it will not be something that is a minor inconvenience. It could be a catastrophic event which could lead ultimately to the closure of your practice. We could, for example, be talking about the destruction or permanent encryption of all of files, business data, client information, emails and more. In fact, everything that you have stored on your electronic device. What is more, don’t assume that because your firm keeps a low profile, does not buy online, does not subscribe to online sites and does not do social media that you will be safe – you will not. Somewhere along the line, you will have left a mark.
The very fact that you are practising in the legal sector, have an email address and possibly a web presence and undertake work for clients could have the effect of making you a target.
Secondly, the firm must carry out a cyber health check, looking at all of its assets and analysing all of the areas where there could be vulnerabilities. This involves considering processes, people, systems, technology, software, backup, support, contingency and every other aspect of the firm’s practice.
Thirdly, and one of the most important aspects when it comes to a successful recovery from a ransomware attack, is the way in which data, files and information are backed up. Do not store data that is important only on a PC, laptop or network server. Back that data up – preferably in three places – on a hard drive, on a backup disc and in the cloud – and in the case of your cloud backup do not have it switched on by default all day – open it only to synchronise your data and then close it down again.
Many businesses follow a policy known as 3-2-1 backup and recovery. This requires that you:
- have at least three copies of your data – the original copy and at least two backups.
- back-up your data on two different types of storage device – for example a portable hard drive and the cloud.
- maintain at least one copy of the backup data offsite.
The 3-2-1 backup and recovery rule is a best practice because it makes sure that whatever happens, you will have a copy of your data.
Keep your operating system and all of your software and applications up to date – criminals often use exploits in old software that the software manufacturers are aware of and have closed down in later versions. In particular, keep your anti-virus software up to date. Whilst it will not guarantee that you are not attacked, it will certainly help to prevent it.
On a day-to-day basis, do not access your computer using administrator privileges. Unless you are planning to upgrade something then you do not need it. Instead, use a guest user account with restricted privileges.
Turn off any macros that you do not regularly use in programs such as Office 365 etc. If you do not use them you do not need them and they simply increase your vulnerability. For example, there are many vulnerabilities that surround the use of macros in Microsoft Office.
Do not use lots of plugins in your browser and in particular be wary of Adobe Flash, Adobe Reader, Java and Silverlight. The Bad Rabbit ransomware attack started with a fake Adobe Flash installer that is downloaded from compromised websites and which holds the actual ransomware. If you really must use these plugins set your browser to ask whether you want them to be activated when you need them. Make sure that you have your browser’s security and privacy settings appropriately high as well. Finally, think about using an ad-blocker to weed out potentially dangerous advertisements.
In terms of emails, be especially wary. Don’t open spam emails or emails from sources you do not know and absolutely never open up attachments of which you are unsure. Likewise, don’t click on links – no matter how interesting thy look – unless you are absolutely sure where they are taking you. In fact, you would be better advised to work out which site they mean and then visit that site independently.
Think about whether the savings from not updating operating systems and software is worth the risk of being held to ransom. Aside from the actual cost of the ransom, there is the disruption to your services and the reputational damage it could cause to customers and clients.
Think long and hard before adopting a Bring Your Owen Device (BYOD) policy. Employees bringing in their own devices to use on your network could introduce vulnerabilities of which you are unaware.
Consider having regular vulnerability tests undertaken – for example, penetration tests to see if your organisation would be able to defend itself against a ransomware or other form of cyber-attack (e.g. intrusion attacks or denial-of-service attacks).
Have in place policies for all aspects of your cyber use, ensure that those policies are communicated to managers and staff and ensure that adequate training is put in place so that staff know what to expect and how to avoid problems.
Carry out a risk analysis so that you can work out where your potential vulnerabilities lie and then take steps to close those vulnerabilities down.
Put in place a disaster plan so that, in the event that the worst happens, you and your staff know how to respond and what to do and not do.
Adopt a defence-in-depth approach and have a number of different layers of defence against an attack. Think about:
- putting in place hardware and software defences such as a firewall or Unified Threat Management (UTM) device,
- consider undertaking staff awareness and training sessions,
- implement policies and procedures designed to prevent attacks,
- back up sensitive data to a number of locations,
- use security profession to test your network and its defences so as to check for vulnerabilities.
Above all, do not rely on one solution alone.
To Pay or Not To Pay?
Finally, the big question. If you are attacked, should you pay the ransom or not?
Really this is not something that someone else can answer for you. Ideally, as with all ransom situations, the answer should be a resounding NO. If no one paid up the criminals would soon stop because they would not be making any money from their criminal activities. Even if you do pay up, there is no guarantee that you will get the decryption key or have your device unlocked and even if you do, you are relevant on the skill of the malware producer as to whether the encryption will work properly – if at all.
In reality, however, the firm is going to need to ask itself a number of questions, including:
- Do we have a backup and can we restore that which we have lost? If the answer is yes then the firm might be happy to ignore the demand and simply start again with the backup.
- Can we afford the ransom? Often the ransom itself is not very high and the firm might, in any event, have set money aside for such an eventuality and feel that the loss to the firm from not paying would be greater than the sum set aside. The payment becomes, effectively, just another business overhead.
- If we pay up, are increasing the chances that we will be targeted again – possibly for even larger sums or in even more damaging circumstances? It is possible that if the firm does not pay it will not be seen as a soft target in the future and the ransom attacker will look elsewhere for softer targets.
- Are we likely to get the data back even if we do pay? It may be that the attacker never had any intention of reversing the damage or, through lack of skill on their part, the decryption key does not work.
- Are there any cybersecurity companies out there that can recover the data? Although some of the ransomware variants have been cracked, this is by no means the case with all of them.
If at the end of the day your business is likely to suffer by more than the ransom demand then you may feel it is worth taking the risk and paying the ransom. Otherwise, on a purely business analysis, you might not feel that this is the case.
By way of conclusion, it would be well if you bear in mind that prevention is better than cure and if you have a network and procedures sufficiently robust that you don’t get hit by ransomware in the first place then you will not have to recover from it. That is, of course, the ideal position. However, relying on this is not a fool-proof method of avoiding ransomware as the software is evolving and you can never be sure that what is secure today is going to be secure tomorrow.
The next layer of protection is to have backups in place so that even if an attack does succeed, you don’t need to give in to the attackers because you can reconstruct your data and operating system effectively so that going forward is not a problem.
However, even if you have backups, you still need to move from locked out to functioning on new equipment with the backups restored. That alone could cause business disruption – but it might be no greater than the disruption that would be caused if you were to pay and be decrypted. You, therefore, need to have in place contingency arrangements for disaster recovery and managers need to know how they would move to the recovered position – for example, operating from a separate location not connected to the network that has been hit.
Then, even if you have backups and a plan for what would happen if you were hit, you still need to make sure that staff are trained to be aware of the potential dangers and know what to do and what not to do to avoid them. Only in that way can you be sure that all of the other arrangements are not wasted.
Finally, you need to think about whether you would pay up in any event and, if so, whether you should have resources to hand in order to make the payment. You don’t want to find that you are permanently locked out simply because you lacked the financial liquidity to pay within the period given.