We know better than to ask if your organization has already been a victim of a ransomware attack. So, let’s ask it this way. Do you know of law firms that have already had to respond to ransomware attacks? How many? How about clients of law firms?
AK: I do know of a small divorce law firm that got hit with a ransomware attach. A staff member opened up an email from a source she presumed was trusted. The firm’s option was to pay the ransom or wipe out their computers and lose several weeks of work-product as the firm neither has real-time backups or a terrestrial backup system in place. They paid the ransom.
DK: Fortunately, I don’t know anyone personally who has gone through a ransomware attack, but it feels like it’s just a matter of time before I will. Reports of ransomware attacks on businesses and organizations, including law firms, occur regularly. I saw recently that there has been a significant uptick on ransomware attacks on schools. Some experts believe that it has been “too quiet out there” lately, and we might be in the calm before a big storm.
JL: Yes. Ransomware is a scourge of our time and has impacted all segments of society. Attacks on law firms of all sizes have occurred – some have been publicly reported either at the time of occurrence or, in some cases, as a result of subsequent litigation. Other attacks have not received widespread attention but are obvious to clients and others interacting with the firm such as opposing counsel. I witnessed opposing counsel deal with such a situation while attempting to maintain his busy practice.
AS: Yes, I do know a number of law firms that have had to respond to ransomware attacks within the past year. What I learned after speaking with some of them was that there is a whole industry built up around creating these kinds of attacks. Some of the companies behind these attacks even have their own websites where they advertise the law firms and businesses they have attacked. There are even professionals who negotiate on behalf of the hacked business or firm to reduce the ransom being demanded. In many cases, even if the attack was isolated and data recovered so that the firm can continue doing business, some ransom is paid in the hopes that the attacker won’t release any data they have received onto the dark web, or won’t attempt a future attack on the same business.
The US government has never had a higher threat level for ransomware than now. Are you seeing law firms escalate their readiness to this threat level? If not, why not?
DK: The alerts on the CISA.gov website lately feel like the Internet equivalent of a flashing red light. That said, my sense is that we are hearing and seeing more about law firm efforts on getting people back into the office and raising starting salaries than we are about ransomware defense efforts. Look, defending against ransomware is a complex and evolving process and it’s hard to find cybersecurity talent. Firms have to set their own priorities. Since the beginning of the Russian-Ukraine war, the warnings of cybersecurity threats, including ransomware, have surged. I’d like to see and hear about more happening in this space than I have so far.
JL: Yes. I do believe that some firms have reacted to the current environment by escalating their commitment to defend and, if necessary, respond to threat actors. On the other hand, I believe there are other firms that have a certain naivete or, perhaps, fatalism. Of course both of those attitudes are dreadfully dangerous and should be adjusted immediately.
AS: I am seeing some law firms escalate their readiness, but the ones doing the most are those that have already been hit. Many solo and small firm lawyers may have put some minimal safeguards in place, but have not escalated their efforts to the level of the threats being warned about. And these new threats may be very different from what we’ve seen in the past.
What should be part of a law firm’s ransomware plan?
AK: Education, education, education. No need to say more.
DK: First and foremost, actually have a written plan. The great news is that US government sets out the standard game plan as part of its Stop Ransomware site. The CISA Ransomware Guide has a set of best practices set out for you, along with other resources. You should be able to put together your own plan quickly. Do that now rather than after the fact. Second, make sure your plan is updated on a regular basis. Third, at the minimum, identify the people who will be tasked with dealing with an attack in advance.
JL: First, a law firm should understand the risk and the recommendations suggested for businesses of all types including the value of an incident response plan for firms of all sizes. The National Institute for Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) are just two credible sources of helpful information describing such plans and other tools. Law firms also need to think through additional issues specific to the attorney-client relationship such as ethical duties to keep clients informed and client information confidential. The American Bar Association has some excellent resources worth reviewing including, among others, the ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, which provides practical guidance, and strategies.
AS: Whether a firm needs a formal “ransomware response team” may depend on the size of the firm and the practice, but certainly firms of all sizes should have a plan in place and know how they will respond, who needs to be informed, and how data will be recovered. The firm’s management and IT department should work together to create the plan, along with their insurer(s) and other outside experts who can help the firm isolate the attack, if possible.
What do you think about putting a ransomware response team in place now as a precaution?
AK: For small firms and solo practitioners, I do not see a need to have a “ransomware response team.” I do believe that every member of a firm, be it a solo practitioner or any individual who is employed by a firm know the do’s and don’ts of a practice in order to avoid the big red scary screen or the white FBI screen that we’ve come to know and loathe.
DK: I’m 100% in favor of that. Get the right people on the team. It should be cross-functional and tag them with areas of responsibility. If you have cyber-insurance, you will want to involve them in this effort. Meet regularly and keep up with current developments. Given the nature and consequences of these threats, you will want to be proactive and not desperately reactive. I’d pay the team a bonus, but your mileage may vary.
JL: As noted above, firms of all sizes will benefit from developing and maintaining an incident response plan. One component of such a plan is understanding the key personnel (internal and external) that would be needed to handle an incident. Time is always crucial to any law firm. There is no benefit to waiting to an incident occurs before figuring out a plan for responding. A team should be in place and periodic “tabletop” exercises should be conducted to test the plan and the team.
AS: I am certainly not an expert on ransomware, but I would caution law firms of all sizes to take a look at their cybersecurity and get the help of professionals to develop a plan. I have heard many experts say that it isn’t a matter of if a law firm will be targeted with such an attack, but rather when it will happen. While you may not be able to prevent the attack, there are certainly steps that can be taken to:
• Make it more difficult for the hackers to infiltrate your system
• Protect client data, and
• Ensure that if and when an attack comes, the firm can continue operating.
Get cyber insurance if you don’t already have it. Many cyber insurance companies will also have resources and recommendations law firms can follow to protect themselves.
What are your best tips, resources, and advice on ransomware and protecting yourself?
AK: Tip #1 is to be 100% sure where an email is coming from. Even if the sender’s name looks familiar, also look at the extension (.com, .org, .net). The sender may be a common name, but if you see .ecc, .exx, etc… delete it immediately! All you have to do is click on the sender’s name in an email (same with a smartphone) and the sender’s email address will appear. This will allow you to see if the email is legitimate. Tip # 2 – older versions of Adobe Flash Player are highly vulnerable to ransomware attacks. Flash is used to play videos and other interactive content. I advise my clients to update their Flash player to the most recent version. As Flash is a “plug-in,” I advise them to disable the Flash plug-in to the “ask to activate” or “ask first” setting. It is easy to set this prompt using a simple Google search.
DK: You definitely want to be familiar with the CISA Stop Ransomware site. If you have cyber-insurance, your carrier will likely have resources. If not, cyber-insurance websites often have great resources. A key component of ransomware is having a great, usable backup, so don’t overlook that. Otherwise, it’s a lot about basic blocking and tackling – multifactor authentication, security hygiene, and the like. These efforts might feel cumbersome, but there’s never been a time when they were more important than they are now.
JL: You do not need to be a technology guru to understand the general risk. Commit to improving your firm’s resilience by learning from the experts (such as the resources noted above) and deploying a plan to manage risk. Consult with others as needed and ensure your basic level of technology competence accounts for handling the topic of ransomware professionally and responsibly.
AS: Some steps that can be taken include requiring multi-factor authentication for log-in to firm machines, servers, or programs, backing up data frequently and redundantly, keeping software and systems up to date, training all lawyers and staff, hiring an outside company to help with training and/or to perform attempts to infiltrate the firm’s system to expose potential weaknesses. Do some research and find professionals who can help.