by Brad Paubel
Ransomware could cost the economy $20 billion this year. See John Ford et al., 2020 Was a Bad Year for Ransomware. 2021 Will Be Worse., Barron’s (Jan. 8, 2021), https://www.barrons.com/articles/2020-was-a-bad-year-for-ransomware-2021-will-be-worse-51610124513. In particular, the legal industry is subject to this threat as it holds such a large volume of sensitive information that appeals to ransomware hackers. Thankfully, robust training for lawyers and staff can help prevent ransomware attacks and mitigate any potential damage.
Ransomware attacks happen when a bad actor, a cybersecurity adversary interested in attacking information, tricks someone in an organization into clicking on a link or downloading a file that installs a virus on their computer. This tactic, known as “phishing,” can involve hundreds of attempts against any computer users on a given network. Once downloaded, that malware will start to encrypt all the files on that individual’s computer and then move on to any system connected to it. This transmission is vital to its success as the malware does not stop with one computer or device: anything on the same network will soon be vulnerable.
Users will then receive a ransom demand asking for payment—usually in Bitcoin or another hard-to-trace cryptocurrency—to decrypt the files. Previously, paying the ransom would unlock the data. However, ransomware criminals have recently taken ransom and kept the data to sell on the so-called dark web. This outcome is another reason why preventing a ransomware attack in the first place is so important.
In order to detect and prevent a ransomware attack, all attorneys and staff should watch for early signs, such as the following:
An increase in phishing attempts. If a firm’s lawyers and staff start noticing a significant uptick in spam emails, that could be a sign bad actors are looking for ways to plant malware. Since it only takes one person clicking on a bad link or mistakenly downloading a virus-laden file to potentially infect an entire network, any increase in phishing attempts should immediately set off alarm bells.
Unauthorized access alerts. A firm’s network administrator may see an increase in unauthorized access attempt notifications. Individuals may also receive emails letting them know someone has tried to reset their passwords. These are all indicators that a ransomware attack may be underway.
Virus protection alerts. If an outside bad actor is trying to place malware on someone’s computer, any installed virus protection software may raise an alert and block the program from running. Having up-to-date antivirus software is an excellent idea as it provides the first line of defense.
Scrambled file names or contents. When malware encrypts the data on a computer, it will often scramble the names of files or make it so these files cannot be opened. If a user is looking at their drive and notices their usual file names have been replaced with unrecognizable gibberish, that could be the early start of a ransomware hack.
Computers locking up. Malware can interfere with a computer’s operating software, and that will cause performance issues, including system freezes. If these start to happen out of nowhere, ransomware could be the culprit.
If users see any of the above signs, they should immediately shut down their computer and disconnect from the law firm’s network(s). That includes both physical (i.e., LAN cable) and Wi-Fi connections. The computer should be completely air-gapped, meaning no data is going between it and the rest of the firm’s computers.
Once an infected computer—or computers, if the malware has spread—is disconnected, you can start searching for the malware in order to remove it. This search can be tricky, and third-party service providers will do it for you to ensure the malware is completely gone. There is software for this if cost is an issue. Only after a system is completely clean should data be restored from a Cloud backup.
As you can see, backing up data early and often is key to bouncing back quickly from a ransomware attack. Even before they train staff and attorneys on how to identify and respond to ransomware attacks, firms should implement a robust system for backing up data. Ideally, this will be stored offsite through a cloud service provider. That way, if there is an attack, a clean backup is available to reinstall once any trace of malware is removed from the onsite systems. Cloud backup services also regularly scan data for malware and other viruses, which acts as a stopgap to any measures a firm has in place.
Prevention and quick action can prevent ransomware from harming your business. Even the most vigilant firm may fall victim to a phishing attempt. It is almost inevitable. Thankfully, attorneys and staff who know the signs can act quickly to mitigate any potential damage. And, if an attack does happen, having a recent clean backup stored in the Cloud will restore systems and get your firm back up and running quickly.
Brad Paubel is the Chief Technology Officer and Chief Operations Officer at Lexicon, a legal technology and services company. He can be reached at bpaubel@lexiconservices.com..