Anatomy of a Law Firm Ransomware Attack, Part I

Day One

It was Martin Luther King, Jr. Holiday weekend and the law firm, just recovering from the holidays, was enjoying a three-day weekend. The firm’s accountant was sick the prior week and decided to come into the office on her usual Monday schedule to catch up despite the office being closed. After her normal computer login, she launched her time and billing program which occupied most of her day. But this day, it failed to launch. With no one else in the office, she called support only to find it closed that day due to a snow storm in the Midwest.

Without any other staff in the office to check on the status of the time and billing program, she began to work on other tasks to catch up from the week she was out. While she was working, she noticed that her network files looked strange. She was not always the savviest technology user, but something looked weird to her and none of her files would open.

At that point, the managing partner came into their small, eight-person law office. She asked him about the time and billing program, but he was not a regular user of the time and billing program and it wasn’t installed on his computer. He was able open up email and documents and didn’t notice anything weird on his computer, but he agreed that it looked strange and despite the holiday, he encouraged the accountant to call their IT folks.

In the phone call, the accountant described the inability to access the time and billing program and her “weird” files. She said that all of her files ended in a .wallet extension instead of .docx, .xlsx, and .PDF. Something had happened over the holiday weekend. Without even remoting into the server, the IT folks knew what had happened because they had seen it before.

It was ransomware, the nastiest of all malware, and it had hit their server. Their network server. With all of their data—documents, pdfs, time and billing system, and email. Everything was on that one server in the office.


Ransomware is what keeps IT people up at night. It is malware on steroids. In its various forms, ransomware encrypts files, data, and anything it can get its hands on with an unbreakable encryption key. The kind of encryption that banks use to protect your data can now be used against you and your firm.

During a ransomware attack, a law firm’s files are encrypted and when the process finishes encrypting the firm’s data, the perpetrator presents a ransom note on a computer with a clock counting down to a deadline. Typically, the firm has 24 hours (or less) to pay a ransom, usually in untraceable bitcoins (an electronic currency and payment system) in order to retrieve the key to decrypt their files. If the firm doesn’t pay, the only key to decrypt the data will be destroyed. A sample ransom note may look like this:

Click to enlarge

A Call for Help

Having seen ransomware before, the IT folks knew that there are a lot of different types out there. This particular variety of ransomware changed the name of the documents, including the extension on the end of the file. The original document had been called:


The corrupt document had changed to:


The only distinctive item was the “.wallet” extension on the end. After some searching, they found that the .wallet extension appeared to be a new variety of ransomware that was first seen in November 2016. As of January 2017, there had been no remedies or fixes and it was running rampant.

They suggested several places to start. They had seen this type of ransomware recently as well and it exhibited a few traits that might help. The ransomware took ownership of the files on the network, so it allowed them to change the name of all of the documents. Find the owner of the files and find the compromised user account.

The impacted files all seemed to be owned by a user called Scanner. This Scanner user had probably been created long ago to enable scanning and emailing from a copier/scanner. By disabling this compromised user, Scanner, their ability to access the network as that user was cut off.

Since they were not sure where the infection started, all passwords on the network were immediately expired. Once a valid user logged into the network with correct credentials, they were immediately prompted for a new password. If the wrong password was tried too many times, the account was locked.

Damage Control

Digging deeper, the files on network that were associated with the time and billing system, as well as any other database file, were all encrypted and inaccessible. Every last one. However, not all of the Client files were encrypted. There seemed to be some order of encryption of the client files. The encryption seemed to begin at the letter “A” and stopped in the middle of the letter “G.” The remaining files H-Z seemed to be unaffected. Weird. Why did it stop? Did the encryption not finish? Maybe or maybe not. There was not a ransom note anywhere like other ransomware that they had seen in the past. They dug a little more…

The IT folks took a look at the entry point to the network, the one point connected to the outside world: the Terminal Server. It was the one server open to the internet for people to access the network from the outside. After logging into the server, a window greeted them to inform them that it caught a virus—ransomware—and removed it. A quick check of the history and a full scan of the server said that there was no more virus. No more ransomware?

They could only hope.

Read Part II here!

Check Also


Virginia’s New Data Protection Law

The new law signals an increased need for adaptability in privacy compliance.