It's 9 a.m. on a Monday after a long weekend. You arrive at your downtown office prepared to tackle a brief for the new multinational corporation you are representing in their upcoming patent infringement case. You grab your coffee, say hello to your co-workers and sit down at your desk to begin. You enter your password and log in. You browse to the folder on your server or Document Management System where all the critical documents collected from your client detailing the “secret sauce” of their latest product are stored. To your horror, none of the files will open and there is a text file in the folder that you do not recognize called ryuk.txt. Congratulations, you are the victim of a ransomware attack.

Ransomware (or extortionware) is a type of malicious software that encrypts user-generated files or entire file systems with an unbreakable cipher. The only way to recover the data is to pay thousands, and in some cases millions, of dollars in cryptocurrency to the attackers in order to retrieve the decryption software or keys. As James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology, stated, “Ransomware is unique among cybercrime because in order for the attack to be successful, it requires the victim to become a willing accomplice after the fact.” The primary distribution method for ransomware continues to be email, as well as Remote Desktop Protocol (“RDP”) servers with poor password policies or ones that lack multifactor authentication (“MFA”).

Ransomware attacks are growing and evolving

According to the Symantec Internet Security Threat Report (ISTR), in 2018, corporate enterprises accounted for 81% of all ransomware attacks. This represents an increase of 12% over the 2017 numbers. Additionally, the variants of ransomware are becoming more sophisticated and making a recovery after an incident harder. Lastly, 2018 saw a 33% increase in the number of mobile device-based ransomware attacks.

According to an April 9, 2019, article in The Texas Lawbook, “Forty-two of the 49 business law firms surveyed report that a cyber-attack victimized them in 2017 and 2018. Thirty-one of the 49 firms, which represent companies in litigation, regulatory and transactional legal matters, say their operations suffered a 'breach of law firm data' during the two-year period.” Law firms have quickly become a one-stop-shop for cybercriminal ransomware attack payouts, as well as the potential to exfiltrate highly sensitive information.

Traditionally, ransomware has been transmitted by attackers with a “cast-a-wide-net” mentality. Hundreds or thousands of malicious emails are sent to random potential victims, and attackers deem the campaign successful if as little as 1% of recipients are compromised. More recently, however, cybercriminals are turning to “big game hunting” and performing targeted ransomware attacks on victims they feel have deep pockets.

These cybercriminals are also using ransomware mixed in with highly sophisticated malware. These software modules are blended, much like nasty cocktails, into a new and more devastating form of ransomware that can allow for more covert operations by the attackers on victim networks. For example, ransomware called Ryuk, which has been at the center of many recent attacks, is a potent cocktail of Emotet, TrickBot, and Ryuk software modules. Emotet serves as the glass for the drink. TrickBot is the alcohol, stealing and exfiltrating the sensitive data. Ryuk is the mixer that ultimately gives the drink its kick, locking the system from access.

Legal counsel have a great responsibility

As legal counsel to companies that collect and utilize everything from social security numbers to personal health data, law firms and the lawyers who work for these have a particular duty to help protect the information and know what to do if a breach does occur. As with any other victim of a data breach, there are state and federal regulations that govern the obligation to notify and disclose the specifics of a breach.

The American Bar Association has issued ABA Formal Opinion 483, outlining the importance for lawyers to plan for the possibility of an electronic breach or cyberattack and to understand how model rules come into play when an incident is either detected or suspected. The opinion states, “When a breach of protected client information is either suspected or detected, (the competence rule) requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”

The verbiage also advises, “Lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.” It's important that any decisions related to incident response, including “whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan,” be completed before any member of legal counsel becomes involved in an actual data breach.

Reducing risk and responding to breaches

Many steps can be taken to mitigate the chance of being a cyber victim. In response to massive data losses, in 2008, the SANS institute created the Critical Security Controls for Effective Cyber Defense (“Critical Security Controls”). The Critical Security Controls are a list of 20 critical actions that an organization can and should take to prevent or mitigate cyberattacks. The Center for Internet Security, which now manages the Controls states on their website, “Organizations that apply just the first 5 CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.”

To ensure that the information technology and cybersecurity program of any organization is most durable, a combination of internal and external risk assessment must occur. Additionally, the need for continuous monitoring of the supply chain and third-parties, and analysis and testing of items provided, or tasks completed as they move through the chain must occur. This undertaking cannot be achieved alone. Leveraging the expertise of an outside security consultant will ensure that an organization benefits from information sharing and accurately addresses vulnerabilities from the broader ecosystem.

If you are the unfortunate victim of an attack, there are three main things to remember:

  1. Stay calm and think rationally. It is critical that in the immediate aftermath of discovery that steps are taken to preserve the “scene” so that a full investigation can occur. At the same time, steps must be taken to remove the attackers from the system.
  2. Implement your incident response plan. Just like planning for a fire or natural disaster, companies must have a plan for how to respond to a cybersecurity incident. The immediate aftermath of a discovered incident is not the time to be “winging it.”
  3. Engage experts, such as a data breach lawyer or cyber forensics expert. They can determine the cause and scope of the breach, including what to do to stop the breach and prevent further breaches from occurring. Working closely with an insurance company can also help you report the breach and check if your insurance policy covers data breach mitigation expenses.

As ransomware continues to evolve and become more targeted, it may become even more difficult to mitigate risks associated with data breaches. Being up to speed on the most recent protocol and having some sort of a reactionary response plan in place is the best starting point if you're part of a legal team dealing with clients that have access to sensitive data.

Douglas Brush is the Vice President of Cyber Security Solutions at Special Counsel. He has over 25 years of entrepreneurship and professional technology experience. He is a recognized expert in the field of cybersecurity, incident response, digital forensics and information governance.