There’s never been a time when hackers have reaped the fruits of their malevolent work as the last decade. With the emergence of ransomware as a real threat to businesses and individuals alike, everybody is trying to figure out how to handle this imminent danger to the wellbeing of many companies. The ransomware that has bombarded businesses have previously come in different strains, including Locky, CryptoWall, CryptoLocker with the latest being, WannaCry.
Ransomware is designed to infect a user’s computer via drive-by downloads, email attachments and malvertising. Almost always, the hacker identifies a vulnerability within an application and exploits it to send out the malware to the unsuspecting user. As soon as the user encounters the malware, it copies itself into the user’s computer. The hacker will have programmed it to look for the most strategic places it should copy itself into where it can inflict the greatest damage.
Additionally, the malware edits the computer’s registry and adds itself to the programs that start automatically with every reboot. What’s more, the malware often uses an SSL connection to generate the public-private key pair it needs to encrypt the data in the computer. Most cybercriminals prefer the TOR network for this process because it is safer. However, not all malware requires an SSL connection. Some generate the encryption keys even in the absence of an internet connection.
The different ransomware strains have different capabilities; some have the ability to encrypt a backup repository while others can delete the Volume Shadow Copy which is part of the Windows automatic backup. While some are designed with the ability to shut down processes that are database-related. This allows the malware to encrypt all files including those that would be blocked if the processes were still running.
For hackers, the easiest way to make their ransomware worth their effort is to target high-level employees and company decision makers. They want users that have the necessary permissions and authorizations so that a single successful attack can have significant monetary implications. A method they often use is targeting every employee in a company with phishing emails.
The hope is that the malware spreads to many users, some of which may be senior or C-level executives at the company. In fact, Harvard Business Review published a report saying that a quarter of all computers that have been on the receiving end of a ransomware attack belong to C-level and senior company executives.
After successfully encrypting the files in the system, the malware sends out ransom demands. For safer illegal transactions, cyber criminals prefer bitcoin. This is because with bitcoin, the hacker’s identity remains unknown. The increasing frequency of ransomware attacks is pushing companies to keep a stockpile of bitcoins ready to pay the cyber criminals quick enough to get back control over their systems, in the event of a cyberattack.
The WannaCry attack that affected over 200,000 computers across the globe was a well-planned ransomware attack. More than 150 countries fell victim of the ransomware which experts believe may have been stolen from the U.S. National Security Agency by Shadow Brokers, a hacker group. The WannaCry ransomware was designed to take advantage of a vulnerability in Windows XP. It encrypted files in the systems it successfully penetrated, then demanded payment to decrypt.
In addition, the users were required to send payment within the time frame specified, failure to which the ransomware would delete the files. Some of the industries affected by this malware include government entities, businesses and hospitals. India is said to have been most adversely affected by the cyber-attack.
While the WannaCry ransomware affected Windows computers, mobile devices are just as prone to an attack. Some malware that has been reported to lock out users from their smartphones demanding a ransom to unlock it.
Ransomware attacks and the Internet of Things
When you add these reports to the fact that the world is quickly embracing the Internet of Things, the future looks bleak through the eyes of the present, where no real solution has come along to solve the ransomware problem. In future, it will surprise no one if a hacker sends an attack to a car on the road and takes control of it remotely, demanding ransom.
In August 2016, Motherboard published a report claiming that two researchers successfully hacked a smart thermostat. It is scary to imagine being forced to send out money to a hacker because his ransomware has taken control of your thermostat and kept its temperature at 99°, waiting for your ransom payment to bring it down. At that moment, you would be wondering if you really have any choice other than to pay the ransom.
These incredible incidents have birthed a new discussion around the legal implications of the cyber-attacks for the affected industries and entities that desperately need access to their data if they are to continue their operations. Consider the implications of a ransomware attack to a health facility where the decision to pay or not to pay the demanded cash could have fatal consequences.
The nature of cyber-attack risks in the legal industry
One of the main objectives of cyber criminals when they are attacking law firms is to obtain confidential information regarding the clients represented by the firm. They can use this information to demand ransom or for espionage purposes. Hackers will often target law firms who represent clients with confidential materials like patents for high-tech innovations.
Financial and structural instability
Almost all ransomware directed to law firms is said to have the ability to destabilize the practices by ensuring that systems necessary to run the firm are unavailable. Ransom demands have been on the rise as hackers penetrate systems, encrypt data and demand payment to decrypt it. As a result, law firms, especially the smaller ones, can be thrown into financial strain after such an attack.
Hackers also attack law firms, obtaining confidential information and using it to pose as a real firm to unsuspecting clients who in turn share confidential information with the hackers under the wrong impression that they are sharing it with their lawyers and that attorney-client privilege is at play. Furthermore, the bogus firm could ask for payouts. To avoid this, law firms must take basic precautions against identity theft. Failure on this front would exponentially increase the risk of the members of the public being swindled and subsequently lead to the ruining of the firm’s reputation.
Legal considerations of ransomware attacks
The following are some of the ransom attacks legal considerations at play:
Laws requiring breach notification
Most of the States in the United States require institutions to notify their customers and employees, industry regulators and any other affected person of a data breach that could have compromised their personal information.
Enforcement by government authorities
In the U.S., the Federal Trade Commission takes action against companies that “fail” to secure their networks from a ransomware attack, or patch system vulnerabilities that hackers could exploit and update its systems. The commission says this failure is in violation of section 5 of the FTC Act. Additionally, FTC reviews the security promises that companies make to their customers to determine whether they were an accurate presentation of their security systems capabilities.
In addition to paying ransom to hackers after a malware attack, companies are settling cases that lawyers present in court on behalf of consumers and, sometimes, employees. Granted, it is unlikely that a customer would win the lawsuit against the company after a ransomware attack.
Nevertheless, many business executives choose to settle the cases instead of fighting in court in a process that could cost them more than agreeing to settle the case. Companies sometimes also face litigation from business partners and company insurers. Other lawsuits include shareholder derivatives lawsuits, which can emerge if the security breach had catastrophic implications on the state of the company as a for-profit entity.
Data/Information security laws
As ransomware becomes commonplace world over, lawmakers are creating information security laws that will govern how institutions handle the personal information of people in their database. In the U.S., a number of states have already enacted laws requiring organizations to implement and uphold certain reasonable practices and procedures meant to protect people’s personal information from access by unauthorized individuals.
Sometimes, the law can also require the implementation and maintenance of reasonable protocols to safeguard this information from unauthorized use, disclosure, modification or destruction. In the event that an audit of the security systems reveals that a ransomware attack succeeded as a result of a failure to put in place the reasonable security measures, the company is likely to face a lawsuit.
Keeping up with government agencies’ guidance
Ransomware is still relatively new. Therefore, government agencies in different industries are still in the initial stages of formulating recommendations they can pass on to business organizations in dealing with ransomware attacks. Thus, it is important that business keep up with new guidelines and recommendations from these agencies so that they can live up to the expected standards that keep their data safe.
Ransomware attacks on law firms in Canada and the United States
All law firms everywhere can be victims of a ransomware attack. Nevertheless, no law firm feels the impact of ransomware attacks as much as a small firm with a diminished financial muscle necessary to create, implement and maintain state-of-the-art security protocols that would be hard to penetrate. The following are some of the recent ransomware attacks that law firms in the United States and Canada have confronted in recent years.
Ransomware attacks on law firms in Canada
A while back when ransomware successfully penetrated the systems of some law practices in British Columbia, the Law Society of British Columbia released a warning to all its members warning them about the risks their firms were susceptible to as a result of the attack. The law firms that the ransomware had attacked chose to stay anonymous as their way of avoiding the possible damage to their reputation.
All the same, the Law Society of British Columbia published in great detail about one of the law firms that was victim to the ransomware attack. The society reported that the firm noticed the ransomware attack on its systems on December 29, 2014 when the ransomware took over their systems and put up on the screens this statement: “Your files were encrypted and locked with an RSA2048 key.”
Further, the ransomware made some demands, asking that the leadership contacts an address it provided within 12 hours with the ransom money ready. If the firm failed to comply within the 12 hours, the malware made it clear that the payout would double. The company did not pay out the ransom. Instead, it used its backup systems to recover the files the ransomware deleted. It also reported the incident to the police.
The Law Society of Columbia published this as a way of raising awareness in the legal industry, urging law firms to take seriously the need to set up strong security systems to protect their information and the information of their clients. The organization reminded law firms of the need to have data recovery protocols that can help them out in the event that a ransomware successfully infiltrates their systems.
Ransomware attacks on law firms in the United States
In the United States, CryptoWall remains the top ransomware attack that law firms have to deal with. One law firm that fell victim of a CryptoWall attack impressed many with its resolve not to pay out ransom.
Employees at the law firm started seeing unusual files like “HELP_DECRYPT” in their work computers. They realized that these were their MS Office files which had now been encrypted, with the original versions nowhere to be seen. The cyber criminals demanded $700 USD before they could give the law firm the decryption key.
Unmoved, the legal company declined to give in to the ransom demands, saying they were not going to negotiate with terrorists. According to a statement from the law firm, it lost more than three times the ransom demand in billable hours and lost productivity. The law firm deleted all the files that had been infected and used their backup systems to restore the affected drives. The process took 48 hours.