Securing Your Firm from Sodinokibi-Like Ransomware Attacks

"We are living proof you can do evil and get off scot-free."

The infamous May 2019 message from ransomware group GandCrab may have claimed to be a farewell, but today it reads more like a warning. GandCrab had, in 2 years, claimed to have collected over $2 billion in extortion payments before announcing its "retirement". Today, cybercrime group REvil—also known as Sodinokibi—seemingly follows in its footsteps, with some security experts believing that the black hat group is a restructuring of GandCrab with the intention of operating with a smaller, more exclusive base of users to reduce their criminal footprint.

REvil has successfully enacted multiple high-profile attacks, including its most recent and infamous operation yet: stealing almost a terabyte of data from high-profile celebrity law firm Grubman Shire Meiselas & Sacks. Sodinokibi has with this move already drummed up considerable media focus with attention grabbing demands, from its $42 million ransom to suppress supposed information on President Trump to releasing 2.4GB of legal documents pertaining to Lady Gaga, while also boasting its plans to auction the legal data of Madonna.

The success of the cyberattack on Grubman Shire Meiselas & Sacks has undoubtedly been noticed by law firms and similarly sized enterprises everywhere, but the law firm is hardly alone. Sodinokibi has struck operations of all kinds and sizes, from municipal governments around the world to large corporations like data center provider CyrusOne and foreign exchange bureau Travelex. While some lucky enterprises may have avoided paying REvil's ransoms, they surely instead faced the costs and difficulties of recovering their systems, most often by enlisting the expensive help of third party cybersecurity firms. Those difficulties can only be compounded for law firms who deal in encrypted and secured data.

Of course, these are only the firms who have recently fallen under attack—we have no frame of reference for how long REvil was working to undermine any of these firms' security. It is certainly likely, especially given the dramatic and dangerous shift to remote work, that many more businesses will begin to fall to Sodinokibi ransomware. The code's continuous state of update itself indicates the growth and success the Sodinokibi criminal community has found, with Sodinokibi's recent 2.2 update enabling would-be ransomers with even more methods of encrypting user files.

Sodinokibi, like its predecessor GandCrab, operates on a Ransomware-as-a-service model, meaning that affiliate hackers share any ransomed money they receive in exchange for the support and code of the Sodinokibi team. This method of operation only serves to widen the scope of damage Sodinokibi is looking to enable.

How to Protect Your Law Firm?

As with enterprises, law firms everywhere are looking to take steps to minimize risk and protect themselves from these ransomware attacks as well as the many other forms of cyberattack which are threatening businesses now more than ever. To protect themselves, organizations must quickly become vigilant and proactive when it comes to their cyber posture, by doing all they can to comprehensively arm themselves with the tools and resources needed to manage their own security. Tools like firewalls and VPNs can of course be used to protect assets accessed by employees as though they were in-office, but firms need to take further steps to make sure they're comprehensively meeting their individual business needs. To do so, firms do not just need strong but flexible solutions which provide visibility to the security of their whole network but also to invest in cyber hygiene education, so that the management of legal documents can be safely ensured even in "disaster" scenarios like the massive shift to at-home work we've seen in response to COVID-19.

That cyber hygiene cannot stop, however, at the individual level. The goal of ransomware, like REvil, is to find a price point at which it is more efficient to pay the demanded ransom than reboot operations from the ground-up. The best way law firms can hope to combat the growing wave of cybercrime is to combine proper security at the operations and individual level with a detailed Incident Response Plan. Firms can prepare to mitigate damage by maintaining network backups and having in place plans for secure internal and external communication.

With proper planning and choosing the right cybersecurity tools in place in advance of attack, law firms can drastically reduce their risk of damage and look to continue their operations as smoothly as possible in the face of a cyberattack.

Heather Paunet is the Senior Vice President of Product Management at Untangle, responsible for building the right products for customers, taking into account customer needs and market trends. She has over 15 years' experience driving the development and go-to-market of software solutions. Prior to joining Untangle, she held product leadership roles at Cisco Systems, and was Vice President of Product at various high-tech security and networking companies in the Silicon Valley. She has a Bachelor of Science in Computer Engineering and spent the first few years of her career as a software engineer.