Digital Detectives

The Ransomware Epidemic in Law Firms: A Guide to Defense and Survival

To those unfamiliar with ransomware, it is a malicious software that effectively holds your files hostage until you pay a ransom. For lawyers, this could mean losing or compromising the data that keeps your business running smoothly. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek discuss this malware with the CEO of LMG Security, Sherri Davidoff. Sherri divulges what we know about ransomware, what to do when it has infected your computer, and how to prevent data loss. While there are few ways to stop the infection when it has started, backing up your information and educating your team on malware countermeasures can significantly lessen ransomware’s impact on your business.

Sherri Davidoff is the CEO of LMG Security, a cybersecurity and digital forensics company. She has more than a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments.

Special thanks to our sponsors, PInow and SiteLock.

View transcript

Digital Detectives

The Ransomware Epidemic in Law Firms: A Guide to Defense and Survival

01/17/2017

Intro: Welcome to ‘Digital Detectives’. Reports from the battlefront; we will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 75th edition of ‘Digital Detectives’. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on ‘Digital Detectives’ our topic is “The Ransomware Epidemic in Law Firms: A Guide to Defense and Survival”.

Before we get started, I would like to thank our sponsors.

We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more about SiteLock at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

We also would like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit  HYPERLINK “http://www.pinow.com” pinow.com to learn more.

We are delighted to welcome as today’s guest Sherri Davidoff; the CEO of LMG Security. Sherri is the co-author of ‘Network Forensics: Tracking Hackers through Cyberspace‘, and her new book ‘Data Breaches’, will be coming out in the fall. She has over 15 years of experience as a cybersecurity professional, specializing in digital forensics, penetration testing and security awareness training.

Sherri has authored courses for the SANS Institute and Black Hat and conducted on-site security training for the Department of Defense, Google, Comcast, Los Alamos National Laboratories, and many other organizations. She is a faculty member at the Pacific Coast Banking School, where she teaches cybersecurity classes. Sherri is a GIAC-certified forensic examiner and penetration tester, and holds her degree in Computer Science and Electrical Engineering from MIT.

We are really glad to have you with us today, Sherri.

Sherri Davidoff: Thank you so much, John and Sharon, and congratulations on your 75th podcast. That’s a big number.

Sharon D. Nelson: It is. And we saved that banner one just for you.

Sherri Davidoff: I feel like I should have gotten you a present.

Sharon D. Nelson: There is still time, Sherri.

Sherri Davidoff: That’s something in the mail.

Sharon D. Nelson: Well, with all the gloom and doom of Ransomware, I think a lot of our listeners know something about it and some of them wish they didn’t know as much about it as they do, but for many people Ransomware is still kind of a mystery, so can you go ahead and just give us a basic explanation of what it is and how it works?

Sherri Davidoff: Absolutely. So Ransomware is big business these days. It is a type of malicious software. When your computer gets infected with Ransomware, the malware will go through and encrypt all of your files, and it can also encrypt files on any network shares that you have attached. So to me that’s the scariest part.

It cannot just encrypt everything on your computer, it can also go through and encrypt everything on all the shares in your firm or in your organization. So it can go through an entire law firm or an entire company. It can even encrypt files that you have in the cloud like Dropbox or OneDrive, if you have those attached.

Once your files are encrypted then you’ll see a ransom note, sometimes it’s on your desktop, sometimes it pops up and starts to talk at you, sometimes even an audio. And the ransom note will usually tell you that your files have been encrypted and that you won’t get the decryption key unless you pay up.

So basically they’re holding you hostage.

John W. Simek: So Sherri, do you have to pay the ransom? What happens if you don’t pay it?

Sherri Davidoff: Well, that depends. Hopefully, you have good backups and it doesn’t matter, but regardless there’s three things you should keep in mind if you don’t pay the ransom.

Number one, of course, your files won’t be decrypted. Number two, the ransom might go up over time. So a lot of times, Ransomware will hold your files hostage for say $300, and if you don’t pay ransom in an hour, that might go up to $400, and if you don’t pay in 12 hours, it could go up to a $1,000. Last year, we saw a hospital, Hollywood Presbyterian, pay $17,000 as a ransom. So it could be the case that the longer you wait, the more you have to pay.

And the third thing to be aware of is that files can get deleted over time. Certain types of Ransomware will hold your files hostage and delete them one at a time as time goes on. So if you don’t pay us in an hour, then two files will get deleted. If you don’t pay us in three hours, then two more files get deleted. It’s kind of like they’re holding a person hostage and cutting off one finger or one toe at a time.

John W. Simek: Geez.

Sharon D. Nelson: That’s a heck of a photo.

Sherri Davidoff: Yeah.

John W. Simek: As a follow-up, Sherri, I think it was last week, I was reading somewhere, where there was a new strain of Ransomware that actually they would send you the decryption key if you infected other people with the Ransomware; in other words, spread it for them?

Sherri Davidoff: Yeah. I’m so glad you mentioned that. I was actually going to bring it up, that was the Popcorn Ransomware and it’s pretty evil. You can either pay up or you can decide that you’re going to infect other people, and if two other people pay the ransom, then you supposedly get your decryption key for free.

(00:05:03)

But you guys are attorneys, and so I am curious to know, can you get sued if you infect other people? I mean, I think there are some real legal issues here.

Sharon D. Nelson: That’s a clear yes. John is not an attorney, but yes, you cannot commit a crime to get yourself out of trouble. That is hysterical.

So what do you advise people? Should they pay the ransom, and if they do decide to go and pay the ransom, how do they go about doing that?

Sherri Davidoff: Well, there has been a lot of debate about that issue. In 2015, the FBI said, pay the ransom, and certainly that’s what I have seen happen in the majority of cases where businesses get hacked and they don’t have good backups, and I am sure we will get to that a little bit more, but an ounce of prevention is worth a pound of cure, have good backups.

At LMG we actually keep a stockpile of Bitcoins now, and so if your legal counsel tells us to pay ransom on your behalf we can take care of that for you, and a number of other IT companies will do the same thing.

Now this year the FBI has come out and said, do not pay the ransom. They said that for two reasons. First, so that you’re not supporting organized crime, and second, because there is actually no guarantee that criminals will release the decryption key once you pay the ransom. You might pay the ransom and then they run off.

In my experience though, they typically do release your files. Sometimes they just release part of your files like a quarter of them or half of them and demand more ransom, but if you think about it they are in business and if they didn’t actually release the files then people would stop paying them. So typically they do actually send you the decryption key.

John W. Simek: Sherri, you mentioned that this whole Ransomware stuff is big business, but how much money are we talking about? How much do the criminals really make from this whole Ransomware campaign stuff that’s being going on?

Sherri Davidoff: I read an article last week. CNBC reported that Ransomware, and I am quoting, “Ransomware is on track to be a $1 billion business in 2016, and it’s only going to increase from here.”

I also wanted to share with you some statistics on this, because last year the Cisco Talos research team was actually able to get access to a Ransomware server, so a server that goes and compromises your computer — hopefully not your computer, but lots of computers and infects them with Ransomware. And it’s important to understand that this crime is being perpetrated by organized crime groups. It’s not individual hackers most of the time.

These organized crime groups are licensing hacking software in the cloud. We call these exploit kits. So organized crime groups will pay a monthly fee, say $3,000 a month, that’s pretty typical to use these exploit kits in the cloud that have lots of nice features and make it very easy to infect your computer.

One of these exploit kits was called Angler, and I say “was”, because Angler was shut down in 2016 when the criminals that ran it got arrested, and that’s fairly rare for the criminals behind this to get arrested.

I want to use Angler as an example though of the financial statistics because we happened to know a lot about it. There are also many others like it today.

So a year ago in 2015, the Cisco Talos research group actually got access to the Angler server and they found that this one server enabled criminals to break into 3600 computers. The next thing they found was that 62% of the time the criminals were installing Ransomware; so that’s a big moneymaker.

The other 38% of the time they could install whatever they wanted, maybe they were installing programs that steal your passwords or things like that, but 62% of the time the criminals were installing Ransomware. So that means using this one server they infected about 2,200 computers with Ransomware and they demanded on average a $300 ransom.

Now Symantec reported that about 2.9% of Ransomware victims pay the ransom. That’s pretty small, that’s less than 3%, but if you do the math you will find that means that this one server was generating over $19,000 per day, that works out to over $7 million a year and that’s just one server.

John W. Simek: Geez.

Sharon D. Nelson: Wow. Wow.

Sherri Davidoff: It’s pretty eye-opening.

Sharon D. Nelson: Yes, great stats. So what should someone do if they think their computer or their network is infected with Ransomware? What’s the first step and then step after that?

Sherri Davidoff: Well, you have to act quickly. Time is of the essence. The very first thing you should do is pull the network cable out or find some way to get it off of your wireless network, because remember, it’s trying to find other victims, it’s trying to find other files on your network to encrypt. So pull that network cable as quick as you can so it can’t get to the rest of your network and keep spreading.

If you have any connected USB devices, pull those out right away. I know some people have backup drives connected by USB and those backup drives will get encrypted if the Ransomware can get access to them.

Number two thing you should do is, call IT, immediately call a technical person. Don’t wait. If you don’t get through right away call another IT person. They might tell you to pull your computer’s power cord. If you do, pull it right out of the wall, don’t try to shut your computer down nicely, because the Ransomware can tell if you’re trying to shut your computer down nicely and it might prevent that from happening.

(00:09:56)

If your computer shut down, the Ransomware can’t keep running and encrypting your files, so a second step you may want to take, and I would check with your IT person for guidance, is to just pull the power cable out of the wall.

The third thing you should do is figure out as quick as you can what actually got encrypted and what the extent of that damage was. If you have backups for that data, awesome, this really shows you the value of backups and taking them regularly, like everyday. If for whatever reason you can’t actually restore from backups, then check to see what kind of Ransomware you have, because certain types of Ransomware, companies have been able to circumvent.

For example, Kaspersky released a tool to the public that will decrypt any files if you were infected with certain strains of the CryptXXX Ransomware. So, if all of that fails, you might have to pay the ransom, and if you are going to do it, you should definitely do it quickly before you risk having the price go up.

And then finally, the last thing you should do is report it to the FBI, because they are tracking these cases. You can do that either by contacting the local field office or you can go to the Internet Crime Complaint Center at  HYPERLINK “mailto:ic3.gov” ic3.gov.

John W. Simek: So Sherri, we have got a lot of lawyers that listen to these podcasts, can you give some advice as to how they can prevent Ransomware from occurring within their own offices?

Sherri Davidoff: Absolutely. Like we talked about earlier, an ounce of prevention is worth a pound of cure. Make sure that you are educating everyone in your office about the dangers of phishing emails and scams also on social media sites. Just last month there was actually a big news story about how the Locky Malware, the Ransomware is spreading through booby-trapped images on Facebook. So nowadays you have to be careful, not just about links or attachments in email, you also really have to be careful about social media. But education is the number one priority.

John W. Simek: Or don’t use social media, right?

Sherri Davidoff: Well, that’s a really good point. A lot of organizations are blocking it by default, especially because people have their own phones and their own personal tablets that they can use if they want to hop on social media. So four years ago blocking Facebook would have been extremely unpopular, and today, it’s something that most offices can live with, because people who leverage those on a regular basis can still use their own personal phones, but it’s a very smart idea to block it in your office, because it really increases the risk of infections like this.

John W. Simek: Great advice. Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Sharon D. Nelson: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes Website Scanning, Web Application Firewall, including DDoS mitigation, and 24×7×365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at  HYPERLINK “http://www.sitelock.com/legal/digitaldetectives” sitelock.com/legal/digitaldetectives.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today, visit  HYPERLINK “www.pinow.com” www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is “The Ransomware Epidemic in Law Firms: A Guide to Ransomware Defense and Survival”. Our guest is Sherri Davidoff, who is the CEO of LMG Security.

Sherri, how can somebody limit the damage caused by Ransomware if they get infected; I think you answered a piece of this before?

Sherri Davidoff: Yeah, absolutely. There are three things that you can do. Number one, of course, make sure you are taking regular backups of everything that’s important, so that if someone does get infected, you can restore that information right away.

And always test your backups. I can’t tell you how many times I have heard horror stories about people who think they are taking backups on a regular basis, but then when they need them, something went wrong and they are not actually available.

Karen Sprenger, who is our COO says, over and over, test your backups regularly, make sure that they are working.

The second thing you can do is that make sure everybody knows who to call and what to do if they get infected with Ransomware. We just talked about how time is of the essence and a couple of the first steps you can take getting it off of the network and potentially pulling the power cord, calling IT. You have to make sure everybody knows those first steps and that they also know how to recognize when a Ransomware infection is taking place. You don’t want to wait until it spreads through that whole network.

(00:15:11)

The third thing that I would really love to mention is an often overlooked point. One of the reasons that Ransomware is so damaging is because we trust each other. Many offices give everybody access to all kinds of files that they may not need. The Ponemon Institute did a survey a couple of years ago and found that 71% of people have access to files that they really don’t need to do their jobs.

And it can be — I think a lot of times managers are worried about hurting people’s feelings by saying, you don’t really need access to that folder anymore, we are going to take it away. It’s easier to give people access than it is to remove it.

But it’s no longer just about convenience and feelings, it’s also about liability, and it’s also about the risk that that opens up. Now, if one person gets infected with Ransomware, that malware can spread and encrypt every single file that that person has access to.

So think about how many people in your office have access to huge amounts of data. If there’s one thing that you make a priority in 2017, make it the year of auditing permissions. That sounds so exciting, 2017 is the year of auditing permissions. I am so looking forward to it. But now is the time to go through all of your company’s file permissions and take away anyone who doesn’t need access to a particular folder, lock it down and that way if one person clicks the link, they can’t accidentally encrypt everything.

Sharon D. Nelson: It may not sound exciting, but it sounds very effective, Sherri, thank you.

John W. Simek: Sherri, let’s talk specifically about email itself and how would somebody recognize whether an email message would contain Ransomware or some other malware?

Sherri Davidoff: Well, it can be very hard to tell these days. Obviously there’s some low-hanging fruit. At LMG we like to say, think before you click. My friend Mike Wright, who did IT for a bank, actually came up with that. Typically, malicious emails will have some kind of a lure, like a free gift card or a tax refund or get your iPod, and if you click on that or if you open an attachment like a coupon, then you will get infected. Remember, if it’s too good to be true, it probably is.

Other times, phishing emails are designed to scare you or trick you into clicking on a link or opening an attachment. And again, a hallmark of those is that there will be some kind of urgency involved, some reason why they are trying to convince you to do it right now before you have time to think about it.

So when you see an email, ask yourself, number one, do I even know this person? If you do know them, number two, are you expecting an email from this person? And remember, their account could have been hacked, so even if it comes from someone you know, their account could have gotten compromised.

We see a lot of attorneys who get Ransomware and other forms of malicious software because the client’s email account has gotten hacked and the attacker will send an email to the attorney saying, hey, I want this information or, hey, click on this link because they know that if you get infected, they can probably get access to a lot of other types of juicy information and also they can get access to other victims.

Sharon D. Nelson: One of the questions we hear all the time Sherri is, is Ransomware considered a data breach; I know what our answer is, but what’s yours?

Sherri Davidoff: Oh, I am curious to know, what’s your answer?

Sharon D. Nelson: It depends. It’s a security incident, but it may or may not be a breach.

Sherri Davidoff: Yeah, absolutely. It is a security incident, and I have the exact same answer, it depends. I think it’s a very important ethical question. It depends first on the capabilities of the Ransomware and also on the legal definition of a data breach, which can vary state by state, jurisdiction by jurisdiction.

So keep in mind that some Ransomware also gets installed along with information-stealing malware. Last spring, SecurityWeek, for example, reported that the CryptXXX Ransomware had information-stealing capabilities, and that means when you get infected with ransomware that’s designed to steal your data, as soon as it’s installed, it can crawl through your system, search for Word documents, Excel spreadsheets, text files and upload all that to a server without you ever knowing, and maybe even before you detect it.

So understanding the capabilities of whatever you have been infected with is extremely important. A lot of times IT folks will clean off your computer and just wipe away the malware, and what that means is that if someone asks later, you will never know exactly what it was capable of doing. So it’s always smart to save a copy of the malicious software, and that way if you need to do more digging later, you can have a professional analyze it and tell you definitively what it does.

And that takes us to the second part of that question, is Ransomware considered a data breach? And as you know, I am not a lawyer, Sharon, you are a lawyer, and that’s why I would love to hear more about your input. This summer my colleague Chris Cwalina from Holland & Knight in DC, he specializes in data breach law, and he took the time to walk me through different state laws, and in some states of course you declare a data breach if there has been unauthorized access to information.

(00:20:03)

In other states, you only declare data breach if there was evidence of acquisition, and that’s a very important distinction, I think. So that means if a criminal went through your computer and encrypted all your files, did they have access to those? Because if so, that could require you to treat it as a data breach under some state laws.

So that is my non-attorney take on it.

Sharon D. Nelson: Yeah, we usually say that under most state data breach notification laws, if the data is encrypted, then you do not have to report it as a data breach. The exception to that is the State of Tennessee, which doesn’t seem to realize that when data is encrypted people are not going to actually have access to the data. But that’s why encryption is so important and people need to be very firm about making sure all their data is encrypted. And in most states you will not have to report it as a data breach, if there’s no evidence of the encryption being broken at any point.

So that’s the legal answer from — at least from here.

John W. Simek: But that’s encryption that you control, Sharon. That’s different than Ransomware encryption.

Sharon D. Nelson: Oh yes. No different than — that’s right, you’ve already encrypted it all, so yeah, it’s encryption on encryption.

Sherri Davidoff: Here’s another question for you because I’m soliciting free legal counsel. I have seen some cases over the years, where like a laptop goes missing or gets stolen and it was encrypted but the passcode was taped to it or on a paper with it.

John W. Simek: Oh my word.

Sherri Davidoff: And according to state law, I think there are some states where you still wouldn’t have to report it because technically it’s encrypted. It seems like legislators are catching up though. What is your take on this?

Sharon D. Nelson: The law is always limping behind the criminals, that’s for sure, but in most places, if you leave a passcode taped to the laptop besides being a blinking idiot, you have given access to the data. So that you know the data is going to be decrypted so it’s no good. I mean, that most state laws today are savvy enough that you would have to acknowledge that there’s been access to the data.

John W. Simek: Well, you wouldn’t have reason to believe that there would be a reasonable person who would actually access it.

Sharon D. Nelson: Yes.

Sherri Davidoff: I can — some listeners peeling sticky notes off their computers, right now, and peeling and taking away from laptops.

Sharon D. Nelson: By the thousands, yeah, every time we give a lecture, they’re peeling sticky notes off and stuff because that’s where we go when we do something sort of dishes, we go in and we know where all the stickies are, and that’s what people do. They’re all over their drawers and under their keyboards and everybody knows where to look.

Sherri Davidoff: Yeah, and guys don’t put those sticky notes right in the trash for those of you that are crumbling them up.

John W. Simek: That’s right. Sherri, tell us how can someone — can we actually see an example of Ransomware in action, and please, let our listeners know how they can contact you.

Sherri Davidoff: Absolutely, at LMG, we actually undertook an exciting project last year, we built a whole virtual laboratory, a small business network and we infected it with Ransomware and we took videos of this. It was really fun for our team, it also was a ton of work, but you can see the results of that online. You can actually watch a person click on a link in a phishing email and see the Ransomware go and encrypt all of the files on the person’s desktop. It’s very creepy. They turn from Excel spreadsheets into these blank files with a dot fun extension.

And then, it actually goes on and encrypts all the files in their network shares in the network and then it encrypts all the files in their cloud repository, OneDrive. So it’s really creepy to watch, it’s also a really great training exercise. You can see that in our YouTube channel LMG Security, and you can also go to  HYPERLINK “http://www.lmgsecurity.com/ransomware” www.lmgsecurity.com/ransomware for a link to it.

Sharon D. Nelson: I don’t think you’ve ever sent me a link to post in my, Ride the Lightning blog, have you, Sherri?

Sherri Davidoff: Oh, I don’t think so but I’d love to.

Sharon D. Nelson: Oh yeah, let’s go ahead and do that. Let’s go ahead and do that.

John W. Simek: I would be a little leery of clicking on things that Sherri sent you.

Sharon D. Nelson: Well, I will tell you what, to project my readers I will click it first.

Sherri Davidoff: I made an announcement to our team the other day and they didn’t trust me, they thought I was trying to phish them and no one actually went to the website I was telling them to go to.

Sharon D. Nelson: That’s hysterical. That’s hysterical, and how can our listeners get directly to you if they need to?

Sherri Davidoff: You can email  HYPERLINK “mailto:info@lmgsecurity.com” info@lmgsecurity.com and I will see that and our team also sees that as well. So we’ll make sure to get back to you right away.

Sharon D. Nelson: Well, we sure want to thank you, Sherri, for joining us today. You’re always a very fast-paced talker. I always thought I was fast but you are faster than me.

Sherri Davidoff: Oh well, I thought you warned me, we have limited time, I was trying to get quick.

Sharon D. Nelson: No, but you’ve got it all in there, the whole thing, it was great. I think you did 60 minutes in 27, so that was wonderful. And our recording engineer has been chatting with us on Skype, telling us how wonderful it is. So you’re doing an excellent job and it’s nice to have all this practical knowledge and to get it condensed, and some people actually listen to these things at double speed, and with you, I don’t think they’re going to be able to do that.

(00:24:57)

Sherri Davidoff: Well, it’s such a pleasure to come on here, and hopefully, we can help people avoid Ransomware and make the world a better place.

Sharon D. Nelson: Amen.

Sherri Davidoff: Sharon, I have one more thing that might be worth mentioning, I don’t know if you want to include it, but Sharon has been helping us to organize a webinar called Ransomware Prevention and Response, which is going to happen on April 19 through the American Bar Association. So I will be presenting there with my good friend, attorney Shane Vannatta, we’ll be talking more about Ransomware and the ethics of ransomware, and thank you again, Sharon, for helping us get that started.

Sharon D. Nelson: Terrific.

John W. Simek: That does it for this edition of ‘Digital Detectives’. And remember, you can subscribe to all the editions of this podcast at  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com or on iTunes. If you enjoyed this podcast, please review us on iTunes.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology and security services at  HYPERLINK “http://www.senseient.com” senseient.com. We will see you next time on ‘Digital Detectives’.

[Music]

Outro: Thanks for loosening to ‘Digital Detectives’ on the Legal Talk Network. Check out some of our other podcasts on  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com and in iTunes.