Skip to Content
  • Home
  • About the Bar
  • Mission
  • Forms
  • Sitemap
    • Member Directory
      Last Name:
      First Name:
      Bar Number:
      City:


    • Login
OSB Logo

Oregon State Bar Bulletin — OCTOBER 2015



Managing Your Practice

The Scourge of Law Firms:
Ransomware That Encrypts Your Data
By Sharon D. Nelson & John W. Simek



Remember the good old days of ransomware? You would get an email saying that you owed the IRS money and could pay it via a helpfully included link. Lots of people did this because it was only a couple of hundred dollars. And who wants to duke it out with the IRS? The same dull-witted people fell for the email claiming that someone at your home had downloaded music or movies illegally (much more likely true than the first scenario) and you needed to pay a fine so no one would come after you (or your spouse/child) for a much greater sum. Again, the price was relatively small, and many people paid.

The likelihood that a lawyer would fall for these primitive versions of ransomware was small. Fast forward to the days of Cryptolocker which began in 2013. This ransomware Trojan attacked computers running Microsoft Windows, propagating itself by getting a user to click on an attachment or a link contained in an email. Click on the link or attachment and —“Winner, Winner, Chicken Dinner!” — the malware invisibly downloaded and began to encrypt your files. The malware encrypted files stored locally on the computer system as well as on any mapped network drives, such as those files on your server, connected flash drives and other external USB drives.

You then got a message on your screen indicating that you would be given the decryption key to unlock your data for a reasonable sum of $300-$500; no checks or credit cards though: the payment of choice was and still is usually bitcoins. Curiously enough, there has been considerable honor amongst this brand of criminal who normally provide the decryption key once the ransom is paid. Not 100 percent but most victims report that they did get the decryption key, though it took them as much as a week to decrypt all their data.

Before we understood Cryptolocker well, many backups (especially in solo and small firms) were engineered in such a way that they too were easily infected and encrypted. This immediately caused I.T. folks to re-engineer backups so that they were not vulnerable to attack by ransomware meaning that you could restore the encrypted files from your backup and not pay the ransom. But we still regularly see backups that have not been re-engineered endangering all of the law firm’s files. The simple solution for most solo and small-firm lawyers? Unplug the external USB hard disk after the backup job completes. Another solution is to use agent-based backup implementations. This is our customary solution.

After some period of time, standard enterprise level security suites began to get a handle on Cryptolocker (and its variants) and were able to detect and stop the malware from infecting machines. We began to see a lot less of Cryptolocker.

But along came Cryptolocker’s evil cousin, Cryptowall, and the fight to defeat Cryptowall — (and all its variants) has proven to be much harder. Frankly, it has had many I.T. consultants tearing their hair out. Criminals have gotten smarter too, often spoofing sender email addresses that make the recipient think they are receiving the email from a court or a reputable law firm. (And the English and grammar are much better too!)

The Symantec 2015 Internet Security Threat Report has a lot of meat to digest, including the statistic that ransomware (the general kind) increased by 113 percent in 2014. That’s bad enough, but what made us reel was the finding that ransomware that encrypts your data and demands money to provide the decryption key rose by 4,000 percent in 2014. That’s one heck of a percentage!

This is consistent with the deluge of calls we received in 2014 (and 2015) about data encrypted by ransomware. It is a scourge which shows no sign of abating. Standard enterprise security suites have been unable to slow the tsunami of variants, especially the Cryptowall variants.

Herewith, some guidance on how to fight ransomware, particularly for solo and small firms who cannot afford the wallet-busting protections that large firm utilize.

As we say all the time: There is no silver bullet that protects against all ransomware. Sadly, new variants are released every day.

Besides making sure that your backup is properly engineered as described above, you need a high quality enterprise security suite installed. We like Trend Micro and Kaspersky, but there are many good suites to choose from, so talk to your I.T. consultant.

Another way to protect your data is to attach to the network resources using UNC (Universal Naming Convention) pathing instead of drive letters. For those less familiar with UNC, it is accessing files using a \serversharefile_path convention instead of a drive letter. Ransomware isn’t attacking data via UNC at the present time, but it wouldn’t surprise us if the next generation of attacks will.

Let’s suppose, in spite of all you do, that you do get hit by ransomware. Do you have a plan for proceeding? Do you have cybersecurity experts to call in? Do you know what your insurance will and will not cover? And remember that no plan survives first contact with the enemy, so be prepared to revise the plan on the fly.

You might check out CryptoPrevent, software which offers the ability to prevent (in large measure) Windows computer systems from infection by ransomware. This software is relatively inexpensive, costing $15 or less per computer depending on the number of licenses needed. The configuration of this software has to be customized for each client, depending on the applications that will need to be allowed to run on your systems. This will require input from you, and it will take some amount of time and money as each computer is manually configured.

Another “no software cost” alternative is to configure Windows policies to achieve the same operational restrictions that CryptoPrevent provides. CryptoPrevent is automatically updated, whereas the “no software cost” solution is static. You see the trade-off.

At the ABA Techshow, we asked our very knowledgeable faculty colleague, I.T. consultant Ben Schorr, about CryptoPrevent and he noted that clients (understandably) don’t like the manual intervention required by CryptoPrevent to “green-light” applications. He had especially run into problems where automated software updates were not permitted by CryptoPrevent, requiring more manual work. Ben shook his head and commiserated with us on the difficulty of advising solo and small firms on how best to defend themselves against this kind of ransomware while keeping costs down.

We became aware recently of four law firms that were successfully attacked by a Cryptowall variant in one month in Northern Virginia. Given that, we have begun recommending the installation of CryptoPrevent — or at least making clients aware that it exists so they can make the money/aggravation vs. risk decision. We warned firms that you may get “pushback” from employees who are accustomed to installing any software they want. CryptoPrevent has proven to be quite effective by disallowing the installation and execution of software unless it has been whitelisted. You must determine for yourself if the risk of infection is high enough that you believe this kind of precaution is warranted, even as we tell you that no solution has been 100 percent effective.

The most common way that law firms get ransomware? Employees click on an attachment or a malicious link in an email. This brings us to another important point: One of the most often-overlooked aspects of an organization’s security readiness is end-user training. It is just as important that your employees know what not to click on as it is to have security software installed to help prevent these types of malware outbreaks. Your best bet is to train your employees — every year — what not to click on and to educate them about the indicators that they might see which should cause them to question whether the email is suspect. And this is something law firms steadfastly refuse to do. Some firms cite the training cost (pretty minimal compared to the risk in our judgment) and others cite the loss of billable time. We have a slide in one of our PowerPoints that says simply, “Training, training, training — oh, have we mentioned training?” You can see where we come down on that issue.

We live in a world where half of the people think “the cloud” is impacted by weather and where National Park Service rangers report that one of the questions they are asked most frequently is “Why were so many Civil War battles fought in National Parks?” Very basic security education can go a long way toward defeating ransomware and other security demons.

To conclude: Check out the possibility of installing CryptoPrevent and making it a part of your overall business information security protection, which also should include your firewall, IDS/IPS device, physical security, securely-engineered backup, security awareness training, etc.

Don’t think you can wish this problem away. The new breed of ransomware is a devilish adversary!

 

ABOUT THE AUTHORS
The authors are the president and vice president of Sensei Enterprises, a legal technology, information security and digital forensics firm based in Fairfax, Va. Reach them at (703) 359-0700 or www.senseient.com.

© 2015 Sensei Enterprises 

— return to top
— return to Table of Contents



  • For The Public

      Public Legal Information

    • Public Information Home
    • Legal Information Topics
    • Juror Handbook

    • Getting Legal Help

    • Finding The Right Lawyer
    • Hiring A Lawyer
    • Lawyers Fees

    • Client Services

    • Client Assistance Office
    • Client Security Fund
    • Fee Dispute Resolution
    • Public Records Request
    • Locating Attorney Files

    • Unlawful Practice of Law

    • UPL Information
    • UPL FAQ

    • Volunteer Opportunities

    • Public Member Application
  • For Members

    OSB Login

    • Log In To OSB Site
    • Member Account Setup
    • Non-Member Account Setup
    • Reset Password

    OSB Resources

    • Attorney's Marketplace
    • Career Center
    • Events
    • Forms Library
    • Online Resources
    • OSB Group Listings
    • Performance Standards
    • Rules Regulations and Policies
    • Surveys and Research Reports
    • Unclaimed Client Funds
    • Voting Regions and By-City
      County Information

    Fastcase™

    • Log in to Fastcase
    • Overview
    • Scheduled Webinars
    • Inactive Member Subscriptions

    Legal Ethics

    • Legal Ethics Home
    • Find an Ethics Opinion
    • Bulletin Bar Counsel Archive

    Company Administrator

    • Company Administrator Home
    • Company Administrator FAQ
    • Authorization Form

    State Lawyers
    Assistance Committee

    • SLAC Info

    Volunteering

    • Volunteer Opportunities

    Court Information

    • Judicial Vacancies
    • Court Info | Calendars | Jury Info
    • Oregon Attorneys
      in Federal Court
    • Tribal Courts of Oregon

    OSB Publications

    • Bar Bulletin Magazine
    • – Bulletin Archive
    • – Legal Writer Archive
    • Capitol Insider
    • Disciplinary Board Reporter

    PLF Programs

    • (OAAP) Oregon Attorney
      Assistance Program
    • Practice Management Attorneys
    • Malpractice Coverage
  • CLE/Legal Publications

    CLE Seminars

    • CLE Seminars Home
    • Online Seminar Registration
    • General Info/FAQ

    My Account

    • My Content
    • My Events
    • Order History

    Legal Publications

    • Legal Publications Home
    • Log in to BarBooks
    • BarBooks FAQ
    • Online Bookstore
    • Legal Pubs Blog
  • Bar Programs

    Diversity & Inclusion

    • Diversity & Inclusion Home
    • Diversity Story Wall
    • D&I Programs
    • ACDI Roster
    • D&I Staff Contacts
    • D&I Links

    Legislative/Public Affairs

    • Legislative Home
    • Committee Contacts
    • Legislative Sessions
    • Staff Contacts
    • Useful Links

    Legal Services Program

    • LSP Home

    Oregon Law Foundation

    • OLF Home
    • Partners in Justice

    Fee Dispute Resolution

    • Fee Dispute Resolution Home

    Pro Bono

    • Pro Bono Home
    • Pro Bono Reporting
    • Volunteer Opportunities

    Lawyer Referral and Information Services

    • RIS Login
    • Summary of Referral and Information Services Programs
    • Lawyer Referral Service Info and Registration Forms
    • Modest Means Program Registration Forms
    • Military Assistance Panel Training Info and Registration Form
    • Problem Solvers Registration Form
    • Lawyer To Lawyer Registration Form

    (LRAP) Loan Repayment Assistance Program

    • LRAP Home
    • LRAP FAQ
    • LRAP Policies
  • Member Groups

    Sections

    • Section Info/Websites
    • Joining Sections
    • CLE Registration Services
    • Standard Section Bylaws (PDF)
    • Leadership Resources
    • Treasurers Tools

    Committees

    • Home
    • Leadership Resources
    • Professionalism Commission
    • Volunteer Opportunities

    House of Delegates

    • HOD Home
    • HOD Resources
    • Meetings
    • Rules (PDF)
    • Roster (PDF)
    • Staff Contacts

    Board of Governors

    • BOG Home
    • Meetings & Agendas
    • Members
    • Liaisons
    • Committees
    • Resources
    • Task Forces

    Oregon New Lawyers Division

    • ONLD Home
    • Law Students
    • Student Loan Repayment
    • Committees
    • Upcoming Events

    Task Forces and Special Committees

    • Task Forces Home

    Volunteer Bars

    • List/Contacts
    • Leadership Resources

    Volunteering

    • Volunteer Opportunities
  • Licensing/Compliance

    Admissions

    • Admissions Home
    • Alternative Admittance
    • Applicants for Admission
    • Admissions Forms
    • Past Bar Exam Results

    Licensed Paralegal Program

    • LP Home

    Pro Hac Vice/Arbitration

    • Pro Hac Vice
    • Arbitration

    Lawyer Discipline

    • Discipline Home
    • Disciplinary Board Reporter
    • Disciplinary Boards
    • Client Assistance Office
    • (SPRB) State Professional Responsibility Board

    Membership Records

    • Address Changes
    • Good Standing Certificate
    • Request Discipline File Review

    MCLE

    • MCLE Home
    • Program Database
    • Forms
    • Rules (PDF)

    IOLTA Reporting

    • IOLTA Home
    • IOLTA FAQ

    Membership Fees

    • Member Fee FAQ
    • Member Fee Payment

    Status Changes

    • Status Changes FAQ
    • Inactive Status Form
    • Retired Status Form
    • Active Pro Bono Status Form
    • Reinstatement Forms
    • Resignation Form A
    • Pending Reinstatements

    Unlawful Practice of Law

    • UPL Information
    • UPL FAQ

    New Lawyer Mentoring Program

    • New Lawyer Mentoring Program Home

    Professional Liability Fund

    • Professional Liability Fund Website
For The Public

Public Information Home
Legal Information Topics
Juror Handbook
Finding The Right Lawyer
Hiring A Lawyer
Lawyers Fees
Client Assistance Office
Public Records Request
Unlawful Practice of Law
Fee Dispute Resolution
Client Security Fund
Volunteer Opportunities
for the Public

For Members

BarBooks™
Bulletin Archive
Career Center
Fastcase™
Judicial Vacancies
Legal Ethics Opinions
OSB Group Listings
OSB Login
OSB Rules & Regs
SLAC Info
Surveys and Reports
Volunteer Opportunities

CLE/Legal Pubs

CLE Seminars Home
Legal Publications Home

Bar Programs

Diversity & Inclusion
Fee Arbitration/Mediation
Legal Services Program
Legislative/Public Affairs
Loan Repayment
Assistance Program

Oregon Law Foundation
Pro Bono

Member Groups

Board of Governors
Committees
House of Delegates
Volunteer Bars
Oregon New
Lawyers Division

OSB Sections
Professionalism
Commission

Volunteer Opportunities

About The Bar

About the Bar
ADA Notice
Contact Info
Copyright Notice
Directions to the Bar
Meeting Room Rentals
Mission Statement
OSB Job Opportunities
Privacy Policy
Staff Directory
Terms of Use

Licensing/Compliance

Admissions
Client Assistance Office
Client Security Fund
IOLTA Reporting
Lawyer Discipline
MCLE
Member Fee FAQ
New Lawyer
Mentoring Program

Professional Liability Fund
Status Changes

Oregon State Bar Center

Phone: (503) 620-0222
Toll-free in Oregon: (800) 452-8260
Facsimile: (503) 684-1366

Building Location:
16037 SW Upper Boones Ferry Road
Tigard, OR 97224

Mailing Address:
PO Box 231935
Tigard, OR 97281

Oregon State Bar location Map

Copyright ©1997 Oregon State Bar  ®All rights reserved | ADA Notice | Mission Statement | Privacy Policy | Terms of Use