Eric Thompson, Kroll's managing director of cyber risk practice.

For Kroll's new cyber risk practice managing director, if this summer's high-profile ransomware attacks of local government agencies signify one thing, it's the evolving economics of cyber warfare. Suffice it to say, it's a whole new threat out there.

Eric Thompson joined Kroll after founding e-discovery and digital forensics company AccessData in 1987. He stepped down as AccessData's CEO and CTO in 2012. More recently he co-found Rincon Capital, an investment group. 

Thompson is now joining Kroll's cyber risk practice, which last month appointed JPMorgan Chase & Co.'s Michael Vega as associate managing director of cyber risk. In his new role, Thompson will work to improve small and midsize businesses' cyber resilience, as well as work with Kroll's malware and analysis team to research ransomware and crypto analysis.

During a conversation with Legaltech News, Thompson discussed how ransomware is evolving and how forensic companies are leveraging cryptography and code-breaking to prevent and safeguard against attacks. The responses have been edited for clarity and length.

Legaltech News: What are some of the cybersecurity threats small and midsize companies in particular face?

Eric Thompson: Ransomware has become an ever-more attractive funding source, and ransomware as a service has become a thriving business. The problem is, the vast majority of the small and midsize businesses do not have teams of cybersecurity experts on staff. Beyond the normal challenges faced by small and medium businesses, they just don't have typically the financial depth or the ability to build the kind of cyber fortification to withstand this type of professional-level type of attack.

Are law firms specifically targeted?

It's happening with everyone across the spectrum. The thing about law firms that makes them a lucrative target is because they are so dependent upon the data they have and that data is extremely sensitive, which makes them an ideal target for both data extraction as well as ransomware.

What role does cryptography and code-breaking play in forensics?

The foundation behind malware is the use of strong encryption to encrypt the data and then to leverage that or use that encryption to force the law firm or the victim to have to pay a ransom to get their data back. I spent the first 10 years of my career analyzing codes, analyzing encryption systems, analyzing methods by which to break encryption systems and looking for vulnerabilities. That's what we are looking at here, as well as understanding who the threat actors are and looking for ways to minimize the damages they are inflicting.

What are some practical applications of cryptography and code-breaking research?

Cryptography and code-breaking research are related—one is the creation of encrypted algorithms and the other is the analysis of those encryption systems and looking for weakness. Obviously, we need strong encryption to help protect our data and our networks, to protect our data from exploitation.

We have the GDPR [General Data Protection Regulation], the California Consumer Privacy Act and credit card security regulations that require data to be encrypted, so that's on the cryptography side. … We [also] have everything from digitally signing contracts that involves crypto to securing case files in systems and communications over virtual networks.

Do the recent ransomware attacks of various government agencies in Florida, Baltimore and other cities represent a significant shift ?

Yes, the economics of cyber warfare is changing. Ransomware is becoming much more lucrative. Organized crime, rogue states, they now have much more economic incentive to make better, more efficient, more effective ransomware.

What we've seen in the past has been more hit and run—get in, get what you can and get out. That was kind of a common attack methodology we saw maybe five, eight years ago. Now, when threat actors are in, they move laterally through the organization. They are meticulous, they are methodical, they are patient, they stay as long as they need to detect as much as they can to extract maximum value. They often establish multiple back doors, they can wait for weeks, months or years before executing a lethal attack. The whole dynamics are in the process of changing.

Why do they have more incentive now?

One of the big game changers has been the access to bitcoin and other payment methods that are anonymized. A challenge that ransomware had years ago was how to secure payment before they decrypt the data. Now with the acceptance of bitcoin and the availability of bitcoin, this is an anonymous means of transferring money to a threat actor, which was not available to us just a few years ago. That has completely changed the dynamics, and it's the last piece of the puzzle that has made ransomware much more of a viable way of securing money for organized crime and other illegal organizations.