Day Two
In Anatomy of a Law Firm Ransomware Attack, Part I, our law firm found out that they had been infected with ransomeware. They solved the immediate problem, but would need to recover their data and put some long-term solutions in place.
Remediation
Now, they thought the bleeding from the ransomware had stopped. It was time to figure out how to proceed. Restore from backup? Are the backups any good? Pay the ransom? But there was still no ransom note. Time was ticking away.
The firm had two different backup systems and both had been giving them trouble recently. They had an onsite backup and a cloud-based backup. They finally had disabled the onsite backup because the software was out of date and the server would be going away soon, so they were reliant on the cloud-based backup.
The firm’s cloud-based backup system had also been having connectivity issues, so the backups were sporadically working. They were doing some manual backups to put data in a different location on the network in case of hard drive failure. They checked those manual backups on the NAS (network attached storage) and all the files were encrypted. The local backups and the manual backups were not an option. They hoped that the cloud-based backup that had been running was up to date.
In checking the cloud-based backup, the IT folks found all of the cloud-based backups were up to date on Friday evening. (They determined that the infection began on Saturday at about 2:30am.) They checked the time and billing system and all backups were up to date. Whew! If the firm had to, they could restore all of their files from the cloud-based backup system. It may take a while, but the backups were there.
With further investigation, they were able to determine that unlike some ransomware infections, the local windows backups, called Volume Shadow Copies, had been preserved on the server in this attack. This would enable them to restore files easily right from the local server. Was this because the ransomware didn’t finish? Was it a poorly written copy? They will never know.
The ransomware clock had stopped. The firm did not have to pay a ransom, jump through hoops to get a decryption key from the hacker, or even restore all of their data from their cloud-based backup. The firm was lucky. Very lucky.
Moving On
Typically, this type of ransomware is a way to make money. Easy, quick money. They have your data, you have money. Pay the money and you get your data back with a quick exchange of money. You are back in business.
Why do firms pay? They may not know any better. They may not have a disaster recovery plan as to what to do in case of emergency. The firm may not have good backups. In many cases there is no choice to make; they pay the ransom or go out of business. What choice do they have? Many companies are forced to make this decision every day, which is why ransomware is such a lucrative business.
Prepare Yourself
There is a lot that firms can do to help protect themselves from ransomware or any type of issue where their data is compromised. Begin by:
- Have damn good backups. Whether you are a big firm, small firm, or solo, backups are the key. If you are not personally making the backups, you need to make sure that backups are complete and up to date every day. If they are not up to date, do whatever you can to get them up to date as soon as possible.
- Have damn good cloud-based backups. Ransomware does not discriminate. If backups are local and connected to your server, PC, or network in any way, they are susceptible to ransomware. If you are not using cloud-based backups, make arrangements to use them. From Carbonite to iBackup to iDrive and every kind of backup program out there. Just use it.
- Create a disaster recovery plan. By creating a disaster recovery plan, your firm has a plan to move from impact to resolution. If you consider the alternatives, the planning process may take some time, but then you will have the pieces in place to put the firm back together.
- Disable old user accounts. This firm had been compromised by an old user that was no longer active. It had been set up a while ago, so it probably had a weak password. By maintaining older accounts, your network is only as safe as the weakest password.
- Consider cyber liability insurance. As a new offering from many malpractice insurance providers, cyber liability insurance will not prevent issues, but it may help recover from these issues. (Note: This firm had cyber liability insurance and are we continuing to remediate to be sure that any issues have been resolved.)
- Use a spam filter. Ransomware can come from a variety of sources, including email. By using a spam filter, firms can use that as the first line of defense against bad email.
- Train your attorneys and staff. Ransomware and other viruses can come through email or even navigating to a bad website. Educate your attorneys and staff on what to do in case a bad email comes their way or they click on a site that might be compromised.
In the end, all firms in 2017 are susceptible to ransomware. The best defense against ransomware is a good backup, trained staff and attorneys, a plan, and a little luck.
Stay safe out there!