It should come as no surprise that law firms are increasingly worried about their clients (and themselves) becoming targets of sophisticated cyber attacks. While these risks have been widely publicized, the breadth and potential operational, liability, and reputational impacts of ransomware are staggering. Case in point: global pharmaceutical company Merck disclosed in its two most recent earnings releases that the June 2017 NotPetya ransomware assault resulted in a $580 million impact on revenue and expenses. The same attack also impacted a number of other global companies as well as several large international law firms.
Law firms often act as a critical “first responder” for clients experiencing cyber events. The nature of ransomware is a prime example of how firms can play a proactive role in helping clients (and their own firms) achieve cyber resiliency by advancing capabilities to anticipate, withstand, recover from and evolve against ransomware attacks.
Ransomware is technically defined by US-CERT as “a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it.” According to the recently-released World Economic Forum Global Risks Report 2018, ransomware attacks accounted for 64% of all malicious emails sent between July and September last year, affecting double the number of businesses compared with 2016. Likewise, the U.S. Director of National Intelligence’s 2018 Worldwide Threat Assessment, released February 13, assesses that “the availability of criminal and commercial malware is creating opportunities for new actors to launch cyber operations.”
Moreover, in the above-described notPetya attack, as well as the WannaCry attack carried out a month earlier, financial gain was not the aim. According to a White House statement attributing WannaCry to North Korea, “The malware encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries. While victims received ransom demands, paying those demands did not unlock their computers.”
Law firms can work with clients to address the following fundamentals of an effective ransomware resiliency plan.
Understanding ransomware risk is the first step to effectively addressing it. A starting point is identifying an organization’s most critical assets—applications, users, and business processes. Likewise, all users should know basic cyber hygiene. Even though it appears Petya gained access through server-side infrastructure, ransomware is often introduced through user endpoints.
Assisting clients in recognizing the importance of fundamental, proactive security practices such as closing unnecessary ports, preventing unauthorized machine-to-machine communication and applying software patches in a timely manner can proactively reduce incidents and associated crises. A basic question would be: when patches are released by software vendors like Microsoft, can your client (or your firm) find and remediate at-risk assets comprehensively and quickly? Are anti-virus/malware detection tools updated in a timely manner? Talk to your client’s security teams about the use of a layered defense, including for example segmenting critical assets to limit their exposure to malicious activity. Talk to your client’s business, security, and procurement teams with controls on third party access to your network, as well as contingencies for when a critical third party is incapacitated by an attack.
Organizations should have comprehensive, tested backup plans and practices in place to facilitate successful business continuity and disaster recovery. Per US-CERT, backup copies of sensitive data should not be readily accessible from local networks. Consider discussion around redundancy in critical services and suppliers.
Malicious actors utilizing ransomware constantly adapt their tactics, techniques, and procedures. Consider whether your clients (or your firm) participate in an Information Sharing and Analysis Organization so that, as new threat information becomes available (e.g., on notPetya variants or other attacks leveraging Shadow Brokers disclosures), security teams know about it and can act on it.
Bottom line, helping clients understand the importance of applying these foundational security approaches is crucial to resiliency—and to advancing the role of law firms as trusted advisors in times of crisis.
To explore options for help in safeguarding clients against a ransomware attack, reach out to our experts at The Chertoff Group to learn how we work directly with law firms and their clients to address ransomware risk.