A few weeks back, attorneys from two different firms spoke with me about being hit with a particularly nasty ransomware attack. In each case the firm's files were encrypted by CryptoLocker and thus unavailable. Both firms experienced about four days of down time, meaning they had no access to their computer network. Both have since recovered from the attack but this is where the similarities end. One firm ended up paying a ransom of $300 in bitcoin (a digital currency) in order to recover over 1 million encrypted files. The other firm elected to have their IT staff wipe their systems in order to rebuild from a clean backup that was about 30 days old. Yes they lost 30 days’ worth of work; but they did avoid having to pay the ransom. The firm was advised not to do so because there are no guarantees in paying the ransom and doing so can invite future attacks. I can assure you the involved attorneys slept little after the attack with a real worry that this, to use their term, “nightmare” wasn’t going to end well.
If the above story made little to no sense to you, now’s the time to become aware. Ransomware attacks are causing all kinds of problems for businesses of all shapes and sizes all over the world and law firms are not immune. That said, let’s keep this simple because I’m not a computer security expert and if you’re still reading this, the odds are neither are you. The bottom-line is this. You and all who work at your firm need to know a few things because your actions or inactions are often to blame for these kinds of attacks.
At its most basic level ransomware is a type of malware, think rogue software. These programs seek to prevent you from accessing your computer or your files until you do something, which is often pay a ransom. There are a number of different types of ransomware. Some encrypt files and others lock you out of your system. Anyone at your firm can allow an attack to initiate by naively clicking on an infected email attachment, innocently clicking on a fake security popup, visiting a hacked website, or clicking on a malicious link on a social media site and it can happen in an instant. Unfortunately, no one may be the wiser for hours because encrypting all your files takes time. It’s only after the encryption process has completed will you be made aware of the attack via a pop-up that demands the ransom payment. All I can say is these programs will continue to become more sophisticated and the ways attackers will try to trick the innocent into falling pray will continue to evolve so everyone at your firm must remain vigilant when it comes to doing their part to help protect your network.
There are a number of things you or your IT support can do to prevent these kinds of attacks. Keep your security software, internet browsers, and operating systems updated and make certain that all update settings are set to automatic on all PCs, laptops, tablets, and smartphones. Backup regularly and make sure that a current copy of the backup is not connected to the network because encrypting ransomware will look to encrypt all connected drives. If your backup happens to be an external drive that is always connected, it too will be encrypted. This is one of the reasons why rotating backup drives off site or backing up to the cloud is strongly recommended.
More importantly, all network users, to include every attorney and staff member at the office if they are not already aware, need to be trained on a few security best practices which will help keep your network safe, not only from ransomware, but from a wide variety of cyber-attacks. The following list would be a great place to start and understand that these rules apply not only to PCs, but to laptops, tablets, and smartphones as well.
Don’t click on any links in emails or sent to you on social media sites. Criminals send links that appear to come from companies or persons you know and trust in order to try and trick you into clicking the link. Doing so can initiate a download of malware like CryptoLocker or take you to a fake website in order to attempt to steal your personal information. If you are uncertain as to the legitimacy of the email, try hovering your mouse over top of the URL in order to view the actual hyperlinked address. If the hyperlinked address is different than the address displayed in the message then the message is probably fraudulent or malicious. So, for example, if an email claims to be from FedEx but when you hover your mouse over the FedEx text the hyperlinked address that is displayed says something other than FedEx.com it isn’t FedEx. Also be aware that sometimes the domain name is altered. If placing the mouse over the FedEx text displays something like FedEx.com.malicousdomainname.com, this too isn’t FedEx. If you still feel that you absolutely must see whatever the link is supposed to show you go to the site yourself. For example, type www.FedEx.com in your browser yourself or use a search engine to look up the correct URL of FedEx.
In a similar vein, don’t open attachments unless you know and trust the sender and also know what the attachment is. Again, doing so can initiate the installation of rogue software on your system. If you’re not sure about the authenticity of what has been sent to you might try the mouse hover approach detailed above. In the alternative, reach out directly to the sender and ask if they actually did send the email. If you are questioning why a lawyer whose name you recognize sent you some important document but you also don’t have any recollection as to why it was sent, call the lawyer directly to ask about it and always lookup the number yourself. Why take the time to lookup the number yourself? Think about it; if the email is a fake, the contact information provided in the email is fake as well. Don’t be fooled! Other clues that a message is likely fraudulent or malicious include poor spelling and grammar, the message asks you to verify personal information, and or the message threatens you if you don’t do something.
Only download and install software or apps from websites that you know and trust. Downloading free games, files off of file sharing sites, customized toolbars, and even things like free flashlight apps (a particularly nasty snooping app that can only be removed by a factory reset of your phone) may seem like a great deal but they can bring real trouble with them.
Use a pop-up blocker and don’t click on any links within unexpected pop-ups or buy software in response to an unexpected pop-up. Unexpected pop-ups are another way scammers try to trick people into downloading malware. On Windows systems, for example, simply close the pop-up from the task manager or click on the pop-up icon on the task bar and then click on close. As an aside, make certain that every person in the office knows that security programs do not need someone to click on “scan now” in a pop-up that states their system is infected. The security programs do that automatically. Really bad things can happen if they fall prey to this scam. In fact, this is how a third firm got hit with CryptoLocker.
Have a policy that absolutely prohibits anyone from disabling their firewall or changing their browser security settings in order to allow a webpage to properly load. If a web page is not properly loading there is a valid reason. Disabling firewalls and changing security settings can allow a “drive-by” download, which is an automatic download of a malicious program that initiates as soon as someone visits a compromised Web page, to occur.
Finally, know the warning signs. If anyone’s device slows down, crashes, displays repeated error messages; won’t shut down or restart; will no longer update; starts showing a lot of pop-ups; displays web pages they didn’t intend to visit; displays unexpected toolbars or shortcut icons on their desktop; if they experience a sudden or repeated change in their Internet homepage; or their battery has started draining more quickly than it should, they need to know that they should report the problem to IT support immediately.
As a Risk Manager for ALPS, Mark Bassingthwaighte, Esq. is responsible for developing and delivering new risk management and CLE products and services, risk management consulting, law firm risk evaluations, and writing content for the ALPS 411 blog at www.alps411.com. In his tenure with the company, Mark has conducted over 1,000 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States and written extensively on risk management and technology. Mark received his J.D. from Drake Law School. He can be contacted at: email@example.com