chevron-down Created with Sketch Beta.
    March 16, 2022 Feature

    The Ransomware Epidemic: Criminals Taking Advantage of Those Working from Home—Including Lawyers and Media Companies

    By Judith Branham and Cheri Carr

    The note isn’t made of letters cut from a newspaper and pasted on paper. No, it comes in the form of a text file displayed on your computer screen, claiming to have rendered certain of your files unreadable. But it’s a ransom note nonetheless, demanding payment in exchange for the keys necessary to regain access to your data (which the criminals have encrypted) or prevent it from being disclosed to the public. That sinking feeling is as real as the dollars at stake: You are a victim of an increasingly prevalent cybercrime known as a ransomware attack. You may not know when or how your computer became infected. Was it a spear phishing email that looked legitimate, and so you clicked on a link or an attachment? Or were your credentials previously compromised and found on the dark web? One thing is clear: You are not alone in falling prey to a ransomware attack.

    Cyberattacks involving ransomware were already on the rise prior to the pandemic, but with the move to a work-from-home (WFH) environment, criminals have taken advantage of the crisis to exploit the vulnerabilities of the disrupted workforce. It might sound hyperbolic to describe the increase of ransomware attacks as epidemic, but for those of us in the cybersecurity industry who have lived it, that’s what it feels like. And, in fact, statistics show the rise is unprecedented. According to Bitdefender’s Mid-Year Threat Landscape Report there was a 716 percent increase in ransomware attacks from 2019.1

    Ransomware is on the rise because it is so profitable: Faced with few good choices, many victims just pay the ransom, usually after hiring someone to help them negotiate the amount. As a result, the number of cyber insurance claims has also skyrocketed, leading some in the industry to speculate that the increase in payments is leading to higher amounts being demanded, which can run into the millions and even tens of millions of dollars. However, this upsurge is also attributable to what the industry refers to as “threat actors” organizing themselves into collectives known as hacking groups. The number of identifiable hacking groups continues to grow significantly, and, at the same time, we are seeing the level of sophistication in ransomware attacks rise. Even organizations with strong cybersecurity defenses are falling victim to the attacks. The reality is that for the typical cybercriminal, ransomware—or its close cousin, cyber extortion—is a big payoff for relatively little effort.

    In May 2021, one hacking group launched a successful ransomware attack that caused Colonial Pipeline to shut down the largest fuel pipeline in the United States, resulting in shortages on the East Coast. The ability to impact the nation’s critical infrastructure, combined with the increase of attacks, underscored the urgent need to take ransomware attacks seriously. Following the Colonial Pipeline attack, the White House issued an open letter in June 2021 advising the private sector to ensure its cybersecurity defenses match the increased threat of ransomware attacks. The letter calls on all companies, regardless of size or industry, to understand that every company is a potential target of a ransomware attack, and thus there is an urgent need to sharpen cybersecurity detection and defense capabilities.2

    Two days after the White House issued the open letter on ransomware, several TV news stations owned by a large national media group were taken offline as the result of what appeared to have been a ransomware attack.3 The attack validated the White House’s warning that all companies are vulnerable to ransomware attacks, even those in the communications industry. And in October 2021, a second large national media group was hit with a ransomware attack that forced several television stations off-air.4 Although the media company worked quickly to restore operations, broadcasting problems continued throughout the weekend, and some stations resorted to social media to deliver broadcasts.5

    The attacks on two large national media organizations further demonstrated that threat actors are sophisticated enough to bypass security controls and take down critical services. And just like the Colonial Pipeline attack, when critical services are taken down, it quickly becomes public and attracts a lot of unwanted attention.

    What Is Ransomware, and Why Has It Proliferated in a WFH Era?

    Ransomware is the term used for the category of malicious software designed to encrypt files such that they become unusable without the decryption keys, which the attacker holds. Motivations for ransomware attacks, which can be launched by threat actors around the world, including in the United States, can vary but are typically financial in nature. These attacks are becoming more sophisticated, making detection by even advanced cybersecurity tools difficult, if not impossible. Oftentimes, threat actors use zero-day malware or next-generation malware that has previously not been released, which often bypasses detection by enterprise detection and response solutions. The malware files often get dropped into system folders where users are not likely to go investigating and have names that camouflage them among legitimate system files, which often decreases the ability to detect them. Additionally, threat actors obliterate traces of activity by modifying, deleting, or destroying logs that would show their activity.

    In order to deploy ransomware across a victim’s environment, a threat actor must first gain an initial foothold. The most common techniques for this first stage of compromise are (1) exploiting misconfigured platforms such as cloud-based email, collaboration platforms, and perimeter defenses; (2) exploiting misconfigured systems internal to a victim network that inadvertently allow public access; and (3) spraying company employees with phishing emails that are carefully crafted to lure recipients to either open an infected file that deposits malware or click on a link that directs them to an attacker-controlled site. This third type of attack has proliferated during the pandemic and work-from-home environments by providing attackers with an enticing lure for their phishes—emails that reference COVID, protocols/procedures, registration sites, and the like but that actually direct victims to an attacker-controlled site.

    Once a foothold is established, the threat actor does some investigating to understand the environment and seeks to elevate privileges to provide for greater access. This is often done by mining for cached passwords or breaking weak passwords. Once privileges are escalated, threat actors will seek to move laterally to identify and infect as many systems as possible. Backdoors are also established to allow continuous access to systems, and, if left undetected, these backdoors can remain even after the compromise is discovered. Thus, it is critical in any incident to ensure that the threat actor’s movements are identified, as are the actor’s ability to remain in the environment even after the ransomware and other malware are removed.

    Once data are exfiltrated and any identified backups are encrypted, the threat actor will launch the final stage of the attack by encrypting all compromised systems and demanding payment by displaying a note on the infected systems that describes the encryption and how to make payment. Some hacking groups even have live chat to assist with questions and payment, with some offering to decrypt a few encrypted files as a demonstration of good faith and “proof of life.”

    Honor by and among Thieves

    Over the course of the past year, there have been some interesting adaptations in the behavior of attackers, including varying levels of “professionalism,” as they have begun to commoditize compromised systems. Hacking groups literally now offer ransomware-as-a-service (RaaS) available for purchase on the dark web to less skilled threat actors seeking to launch ransomware attacks themselves. RaaS enables these newcomers, or less adept hackers, to buy access to a victim’s compromised systems to which another hacker has gained a “foothold,” or has control over, but has not executed the ransomware attack. In this scenario, the compromised system may have limited value or financial resources, but these less experienced attackers are willing to pay-to-play.

    In fact, there is a sliding scale of the type of attacker we are seeing. On one end of the spectrum are the threat actor groups that treat ransomware as a business. These hackers have done their due diligence using publicly available information such as public filings to understand the profitability of the business they’ve gained access to and base their ransom demand on that information. These are the threat actors who, at least on a few occasions, offer decryption keys for free upon learning the victim organization is in the health care industry, showing a hint of what they would have us believe demonstrates some sort of honor by thieves.

    On the other end of the spectrum are the threat actors who have bought access into a victim organization and demand a huge ransom, hoping for the best. Occasionally, these attackers get crossways with others in the RaaS community for not adhering to the honor-among-thieves code of conduct, or not paying the ransomware author their cut of the earnings. A victim’s negotiations with these types of threat actors are often erratic as they seem to have trouble keeping track of which victims they’ve compromised. We have also witnessed threat actors releasing stolen information to the public even though the ransom demand was paid, citing the victim’s failure to respond quickly enough, or some other perceived indiscretion. The bottom line is threat actors are criminals and can’t be trusted to keep their word.

    Hacking groups have also modified their tactics to spur payment of the demanded ransom. In a traditional ransomware attack, threat actors will deposit and deploy ransomware on compromised systems. Once executed, ransomware is designed to encrypt data on infected systems that can only be decrypted with keys that are promised in exchange for payment, typically in the form of bitcoin. They often encrypt backups of the data as well so that organizations have no way to access their backup data unless they pay. Increasingly though, attackers are upping their game to incentivize payment by exfiltrating data from systems prior to encrypting them. In this “smash and grab” attack, the threat actor looks for sensitive or confidential information to exfiltrate in order to coerce payment by threatening to release the data on the dark web. In other words, they have two bargaining chips: The victim wants its data back so it can continue to do business, and it also doesn’t want the data publicly released. Additionally, the threat actor may attempt to shame the victim into paying by publishing the name of the firm on the group’s dedicated leak sites.

    Law Firms and Its Clients Are Not Immune

    Certain industries such as the legal and the communications industries were once thought immune from cyberattacks because they did not have information typically thought to be beneficial to threat actors, such as credit card data. But as these criminals became more sophisticated, they began to realize that other industries are a target-rich environment because they hold their clients’ valuable information, which is oftentimes stored collectively on a single server or an e-discovery database, often making it easier to identify and extract information than it might be to access from the client’s own environment. Information they seek from law firm clients can encompass intellectual property, information about M&A transactions, and confidential business and financial information including trade secrets. Today’s threat actors have learned to leverage the threat of exposing valuable client data to coerce payment from law firms and companies and have shown an uncanny ability to modify both tactics and targets to achieve their end goal.

    The challenge many lawyers face, especially in small and medium-size law firms or as in-house counsel, is that cybersecurity can be overwhelming—lawyers are not technologists and cybersecurity is complex. Unfortunately, just as “ignorance of the law excuses no one,” ignorance of technology does not excuse lawyers from the responsibility of ensuring reasonable security practices are in place to protect client data. Accordingly, a failure to take reasonable efforts to protect client data and detect a cyber-instruction may result in an ethical violation.6

    To fulfill ethical obligations, a lawyer must often rely on both internal and external resources to provide the needed expertise, but that does not mean lawyers can abdicate responsibility.7 As a start, lawyers must understand the firm’s or company’s cybersecurity practices and what types of security threats the firm faces. This information can be provided on a regular basis to the firm’s or company’s management committee. Lawyers must also understand the evolving threat landscape and what are considered best practices to defend against cyberattacks. This information might come from internal sources, from external sources such as cybersecurity firms that are on the front lines, or through media, including blog postings. Finally, lawyers should seek to understand and quantify the firm’s risk and determine how best to mitigate and transfer the risk.

    The Big Decision

    To pay or not to pay can be the most agonizing decision a law firm or company has to make when hit with ransomware. No one wants to pay, and not paying is consistent with the Federal Bureau of Investigation’s advice not to comply with criminal actors. But law firms or companies without viable backups required to restore operations are often left with no choice but to pay the threat actor. This was the case with a Rhode Island law firm of 10 lawyers that was unable to access its data for three months, resulting in $700,000 of lost revenue.8

    But even if firms or companies are able to restore from backups, there can still be downtime as well as increased costs associated with the investigation, with total restoration possibly reaching into the millions of dollars for large law firms or companies.

    For lawyers, who have an ethical duty to safeguard inherently sensitive client data, the decision to pay ransom became significantly more complicated when threat actors changed tactics and began to exfiltrate data prior to encrypting it. The threat to reveal client data is real. Last year, hacking group REvil infected a New York media and entertainment law firm with ransomware and exfiltrated sensitive client data, including data from numerous celebrities, and demanded $42M or the data would be released.9 Additionally, the Maze group reportedly attacked five law firms with ransomware and threatened to publish the victims’ client information, which it did with at least one of the firms.10

    Another factor in deciding whether to pay is the government’s recent release of two significant documents focused on cryptocurrency and the facilitation of ransomware payments. These were likely issued in response to the magnitude of the ransomware epidemic, mounting questions around potential payments to blocked persons or entities, and the need for guidance on prepayment diligence and collaboration with law enforcement and regulators. Lawyers should be aware of these directives and the potential impact of paying ransom.

    Specifically, on October 1, 2020, the Department of the Treasury issued an advisory related to facilitating ransomware payments. It reminded the public of several important, preexisting provisions relevant to incident response with respect to a ransomware event.11 Shortly after, on October 8, 2020, the Department of Justice announced its Cryptocurrency Enforcement Framework, outlining, in part:

    • how cryptocurrency technology is currently used and illustrating how malicious actors have misused that technology;
    • laws and regulations that exist at the federal level as they relate to cryptocurrency transactions; and
    • public safety challenges related to cryptocurrency.12

    The key takeaways from both advisories include:

    • Law enforcement will continue to treat entities affected by ransomware as victims. These advisories signal no intent to the contrary, but they do stress the necessity for due diligence to ensure compliance with the Office of Foreign Assets Control (OFAC) guidance around Specially Designated Nationals (SDNs).
    • While considered best practice, neither advisory creates a new requirement that entities must notify law enforcement if victimized by ransomware or in connection with payment of a ransom as part of a ransomware event. However, impacted law firms and companies should consider the benefits of working with law enforcement (and notifying them of payment), including taking advantage of their experience with threat actor(s) across many incidents and industries.
    • The Treasury Department’s advisories appear to tacitly acknowledge that, despite best efforts, an entity may unknowingly make a ransom payment to an OFAC SDN. If it is later determined that such payment occurred, mitigating factors would likely include the steps taken to qualify the transaction such as working with law enforcement and the quality of the diligence effort.
    • Left unanswered is the most difficult scenario where a ransomware victim performs diligence and determines that the attacker involved is, or is likely, on the OFAC SDN list. In that instance, the victim entity is left with the impossible choice of either making a payment that may be considered unlawful or being unable to recover. In these situations, a victimized entity’s best course would be to notify and work with appropriate law enforcement and regulators. In doing so, there is the possibility the victim entity could mitigate or possibly avoid severe prosecution if it ultimately pays a ransom under duress to an OFAC SDN.

    The Prescription

    Gone are the days when only organizations that hold credit card information or social security numbers that can be sold on the dark web are the primary targets of cyberattacks. Threat actors have learned that the most important asset for any organization, including law firms and communication companies, is its information. Denying access to that information and threatening to release it to the public is a much more lucrative business model for threat actors that can result in big payoffs for relatively little work. Exfiltration of data from law firms and companies will continue to expand and evolve, maybe even becoming the new ransomware model.

    To help law firms and companies mitigate the risk of falling victim to ransomware and better prepare for a ransomware incident, consider these tips:

    1. Be proactive. Lawyers often leave technology decisions to those with the expertise, but cybersecurity is not just an IT problem—it requires ownership and participation by every person at the firm. Lawyers, as stakeholders, should understand what the incident response plan is and their role as part of the response team. Importantly, these plans must be tested through simulated practice across realistic scenarios so everyone understands their role and responsibilities and can ask questions in a casual setting. In a work-from-home environment, this may also include conducting a virtual tabletop exercise.
    2. Educate employees on cybersecurity and phishing awareness. Social engineering, phishing in particular, is still a leading cause of unauthorized access to a network, including as the entry point for ransomware attacks. The first line of defense in a social engineering attack is your people, and they need to be able to recognize the signs of a social attack, feel empowered to take action, and know how to report it to the right people (and do so in a safe way). Once the workforce moved to the work-from-home environment, threat actors used language around COVID as the lure for their phishing campaigns. This came at a time when many were restructuring how they conducted daily business, relying heavily on email to communicate with their colleagues. Law firms and companies must create a culture where all employees feel responsible for enterprise security and are encouraged to participate in proactive detection of, and defense against, threats, risks, and attacks. Phishing awareness is a critical cornerstone to such a cyber-secure culture.
    3. Don’t resist security measures. Cybersecurity is sometimes viewed as “something that makes it harder to do my job,” but the goal is actually to implement security measures with consideration for the way lawyers work so they can do that work safely. A couple of measures that have been extremely effective at defeating ransomware attacks are multifactor authentication and encryption. Multifactor authentication (e.g., something you know—a password, plus something you have—a certificate or an alternating key code) for all authentication and access to email should be a requirement for all users. To liken it to something many of us have, a debit card, the number on the face of the card is “something you have,” but the PIN necessary to complete the transaction is “something you know.” Multifactor access controls can be even more effective if coupled with the use of virtual private network (VPN), which allows for a secure point-to-point connection between your computer and your firm’s network.
    4. Prioritize IT investment. But this is a law firm, so why should we invest in IT? Similar to the strains of coronavirus, the cyber threat landscape is constantly evolving. Attackers spend time and money performing research, testing for vulnerabilities, and developing weaponized software to exploit those vulnerabilities. In order to maintain a safe IT environment, law firms and companies must also invest in internal and external experts to ensure systems are patched and kept up-to-date to guard against attack.
    5. Install and properly configure enterprise detection and response tools. Separate and apart from investing in operational IT activities, law firms and companies should make a commitment to invest in tools specifically designed to detect and protect against cyberattacks within the firm’s network should a threat actor gain a foothold. Early detection is key to minimizing the impact of a cyber event—it could prevent a relatively minor issue from escalating into a full-blown incident, such as identifying first-stage malicious software (malware) that pulls down the next step (ransomware and the like) and stopping it before that second download can occur. These tools can help decrease the risk of a ransomware attack and are useful as part of incident investigation and response to rebuild the sequence of events, understand what happened, and determine the best remediation path. Importantly, the visibility that such tools can offer if configured correctly can help in answering the question around what the attacker did or didn’t access to inform the legal analysis around potential disclosure obligations.
    6. Partner with IT to design your networks, systems, and backups to reduce the impact of ransomware. In any IT environment, it’s not feasible to protect everything in the same way. Lawyers should help their IT colleagues understand where the most valuable data are stored within the network, so the most robust protections and monitoring can be applied to the parts of the network where the most sensitive data live.
    7. Ensure safe work-from-home practices. Since March 2020, many companies have adapted to a remote workforce, but not all were prepared with the technology or processes necessary to accommodate that sudden shift. Lawyers accessing sensitive information should be doing so through a company-issued computer using a VPN and should avoid storing those data on a personal computer.
    8. Consider risk transfer options. Because a ransomware attack can threaten a law firm’s reputation and goodwill, the magnitude of the risk ransomware creates is a difficult one to quantify. However, as part of incident preparedness, law firms and companies should consider obtaining appropriate cyber insurance coverage. In doing so, law firms and companies should review how coverage addresses indemnification for financial loss, business interruption, fees and expenses associated with the ransom and incident response, as well as considerations for service providers, such as the ability to work with incident response providers of choice.
    9. Prearrange your third-party response team. An effective ransomware response will often include all or some third-party expertise across the disciplines of forensic incident response, outside legal counsel, crisis communications, and ransom negotiation and payment. Seeking out, vetting, and contracting with these professionals during a ransomware incident places additional burden on an already-strained enterprise and wastes valuable time. It is critical to have that team identified, contracted, and on speed-dial so if a ransomware attack does happen, they’re able to respond immediately.

    Endnotes

    1. Mid-Year Threat Landscape Report 2020, Bitdefender, https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf (last visited Feb. 1, 2021).

    2. Memorandum from Anne Neuberger, Deputy Assistant to President, White House, What We Urge You to Do to Protect Against the Threat of Ransomware (June 2, 2021), https://www.whitehouse.gov/wp-content/uploads/2021/06/Memo-What-We-Urge-You-To-Do-To-Protect-Against-The-Threat-of-Ransomware.pdf.

    3. Kevin Collier, TV News Stations Become Apparent Target in Next Cyberattack, NBC News (June 4, 2021), https://www.nbcnews.com/tech/security/tv-news-stations-become-apparent-target-next-cyberattack-n1269662.

    4. Aaron Gregg & Hamza Shaban, Ransomware Attack Knocks Some Sinclair Television Stations off the Air, Wash. Post (Oct. 18, 2021), https://www.washingtonpost.com/business/2021/10/18/sinclair-broadcasting-ransomware-attack.

    5. Id.

    6. ABA Comm. on Ethics & Pro. Resp., Formal Op. 483 (2018).

    7. Id.

    8. Debra Cassens Weiss, Victimized by Ransomware, Law Firm Sues Insurer for $700k in Lost Billings, ABA J. (May 2, 2017), https://www.abajournal.com/news/article/victimized_by_ransomware_law_firm_sues_insurer_for_700k_in_lost_billings.

    9. Tom Ricketts, Ransomware: REvil & the Increased Targeting of Law Firms, Insight Archive, Aon (Sept. 2020), https://www.aon.com/risk-services/professional-services/ransomware-revil-increased-targeting-law-firms.jsp.

    10. Casey C. Sullivan, Ransomware Hits Law Firms Hard—and It’s Worse Than Ever Before, Logikcull Blog (Mar. 5, 2020), https://www.logikcull.com/blog/maze-ransomware-law-firms.

    11. Dep’t of Treasury, Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Oct. 1, 2020), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.

    12. News Release, Dep’t of Just., Attorney General William Barr Announces Publication of Cryptocurrency Enforcement Framework (Oct. 8, 2020), https://www.justice.gov/opa/pr/attorney-general-william-p-barr-announces-publication-cryptocurrency-enforcement-framework.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    By Judith Branham and Cheri Carr

    Judith Branham is a managing director and head of the Minneapolis office at Aon Cyber Solutions. Cheri Carr is a managing director and Digital Forensic and Incident Response Practice Leader at Aon Cyber.