Law Firms, Take Notice: The US is Cracking Down on Ransomware Gangs

Episode Notes

Transcript

Intro: Before we get started, I’d like to thank our sponsors PInow.com and CaseFleet.

[Music]

Intro: Welcome to Digital Detectives Reports from the Battlefront.  We’ll discuss computer forensics, electronic discovery, and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice.  Right here, on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 132nd Edition of Digital Detectives.  We’re glad to have you with us.  I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity, and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice President, Sensei Enterprises.  Today on Digital Detectives, our topic is, “Law firms take notice the US is cracking down on ransomware gangs.”  Today, our guest is Ariel Parnes, Chief Operating Officer at Mitiga.  He is a retired Colonel of the Israel Defense Forces 8200 Cyber Unit where he served 20 plus years in a wide range of roles in the areas of intelligence, information technology, offensive and defensive cyber operations, and cyber warfare.  He was awarded the prestigious Israel Defense Prize for technological breakthroughs in the cyber field.  It’s great to have you with us today, Ariel.

Ariel Parnes: Hi, John.  Great to be here.  Hi, Sharon.  It’s great to be here, and thank you for inviting me.  It’s a great pleasure.  I’m looking forward for a very interesting conversation.

Sharon D. Nelson: Thank you, Ariel.  We certainly understand your depth of cybersecurity expertise.  But would you tell our listeners a little more about your company, what it does and what your role is there so that they have contacts before we ask some of the other questions?

Ariel Parnes: Mitiga is an Incident Response and Readiness company for cloud and hybrid environments.  We have an innovative solution that dramatically reduces the impact of a cyberattack by accelerating the investigation when it happens and by preparing the organization for cyberattack.  We are globally company based out of New York, London and Tel Aviv, and I’m one of the three co-founders.  I’m the CEO and responsible for designing and delivering of innovative solutions for clients worldwide.

John W. Simek: Ariel, our large portion of our listeners are law firms and, as you know, they’re one of the most popular targets for the ransomware gangs because they hold so much valuable, confidential data of many individuals and bunches of companies as well as governing confidential and, sometimes, it’s even classified data.  Some of the recent news that we’ve heard about which is really important to them as the government steps up the war against ransomware, which is kind of why you’re here today.  So, can you tell us about the five — I pronounce it REvil.  Some folks I know pronounce it R-Evil because they really are evil, arrest in November.  And why those arrests were significant?

Ariel Parnes: During November, we have witnessed the investment of five people by law enforcement.  That was the result of a joint effort of some say more than 70 countries including US, UK, France, and Germany together with the FBI and the Europol and other authorities to fight against one of the most powerful cybercrime or ransomware groups, the REvil or R-Evil or Ransomware-Evil.  This REvil group was and is still one of the most powerful groups out there.  They have been conducting more than thousands of ransomware infections.  I think the number I have is about 5,000 ransomware infections and not only that but also providing the ransomware capability for others to use.  It’s what usually is called out there, ransomware as a service.  And this was one of the main targets of this large campaign, global campaign against ransomware that we are witnessing, and we were going to talk about that because this is to me a, what I call a multi-layered campaign against ransomware, and this arrestment of these five people that were active in this group, I think most of them in Europe is one aspect of these many layers of campaign that we see that include international cooperation and law enforcement activities, nation-state capabilities that we didn’t see in the past being involved in this effort.  For example, we know that wiretapping was used during this investigation to track and find these people.  Regulation, another aspect with the goal to reduce the ROI, so to say, of the ransomware crime.  In essence, we have to see or to look at the ransomware activity as the business, maybe not a legal one, but a business that works with an equation of cost, profit and risk.

(00:05:04)

So, they need to understand or they need to see that the cost is low, the profit is high, and the risk is low.  And while this happens, this is a good business by arresting these people.  This is one approach or one way to have an influence of this equation by increasing the cost of the ransomware criminal or ransomware groups to conduct the ransomware attack because they have less people or it’s harder for them to find these people or to hire them because of the risk, by increasing the risk.  And this is one way and we are going to talk about many other ways, this campaign is trying to reduce the ROI of a ransomware attack.

Sharon D. Nelson: Yeah.  I love your description of the multi-layered attack because that really is what it is.  And another one of those attacks was when the Department of Justice seized a million dollars in cryptocurrency from another REvil affiliate also very heartening to the law firms who have been ransomware victims, and I think I have that number wrong.  So, you correct me when you answer.  But how were they able to seize it?  And do you think that that’s a measure that the government will now be looking to take more often?

Ariel Parnes: First of all, what I read today that the number went up to $2.3 million.  This is definitely one of the effective ways to conduct this multi-layered campaign.  And the way this is done — well, a cryptocurrency, in order to use cryptocurrency and cryptocurrency is the way that these criminals get their money, you need to have a wallet.  A wallet is a piece of software essentially that stores your currency and enables the interaction or the usage of this cryptocurrency in different ways.  Essentially, there are several ways to identify or to track the usage of wallets, and this is part of the, I would say the forensic investigation or the internal investigations that are their agencies or companies conduct during attacks.  And by doing that, they are able to identify or link the wallet with some activity to the extent that they are able to block them or confiscate them, and this is what we have been seeing.  For that, obviously, we need several capabilities and once the government or the nation becomes involved, we see additional capabilities in this game, which increases the probability of tracking a wallet or contacting to malicious activity.  And again, it goes back to reducing the profits in this game of ransomware attacks.  So, when ransomware criminal, when the money that he disappears, they’re reducing their profit, they’re increasing the cost for future attacks because they need to find alternative ways to get the money.  And by that we are breaking and again, trying to have an impact on this equation of ROI or the cost and profit of a ransomware attack.  So, to me, it’s another layer and a very important one in fighting against the ransomware plague.

Sharon D. Nelson: I like the idea that we’re making it riskier too, but that’s your question, John.  So, I’ll let you take that one.

John W. Simek: I was also going to add, though.  I think it’s particularly challenging because, you know, bitcoin is the primary cryptocurrency that they use and bitcoin is like through the roof.  Its value is like skyrocketed.  And so, you talk about that risk-reward thing, you know, the reward is huge now.

Ariel Parnes: You’re right.  You’re right.  This is probably, definitely.

John W. Simek: Yeah, makes it very challenging.  But on to the next thing is that a lot of our lawyer friends to their surprise, but they’re also delighted that the Department of State is, you know, we now have rewards now.  They’re offering up to $10 million for the name or the location of any key REvil leader and up to 5 million for information about any other REvil affiliates, and we’ve never really ever seen that before and certainly not to that extent, that amount of money.  What do you think, Ariel?  Do you think those bounties are going to work in that we are going to see more of them in the future?

Ariel Parnes: I see three different aspects hearing this attempt to add this layer.  And again, think about the many layers that we are adding into this campaign.  So, we need to see that as one of many layers.  But when I see this, I see three aspects of it.  One is the actual declarative aspect.  So, by saying that, what the government or what the authorities are saying is that we are serious with regards to our campaign, and this is by itself a valuable move or valuable activity because it is part of the general approach or general message that they are trying to convey to the world and to the cyber criminals that they are serious with regards to this campaign.  So, this is the declarative aspect of it.

(00:10:00)

The second one is the deterrence that comes with the fact that now, these people are worth money in terms of under risk of being betrayed by their friends or by others and think about the cybercriminal that until now, you know, what was the risk for him?  He was involved in ransomware, probably not very serious risk.  Now, they’re adding another layer of risk.  He now needs to be concerned about his relationship with others, his friends, his peers, whatever it is, and that adds another layer of influence on that equation of cost, profit and risk.  So, this is the second aspect of it.  Then, third aspect of it is the actual fact that by doing that with some probability, the Department of Justice will be able to get a different information intelligence and then catch the bad guys.  So, this is only one aspect of it.  The deterrence and the actual declaration are other aspects of it.  If you combine the three of them, I think the impact, you know, time will tell.  Time will tell, right?  But I think the potential impact here is there, and I think that adding that to the general multi-layered campaign is the wise decision and, on the other side, what the risk is.  So, we might as well try it.  And if it was perfect, if it doesn’t, we can always stop that, but I am optimistic.  I think this is a wise and a very correct step in the process.

Sharon D. Nelson: We join you in that.  We were very excited to read the news stories about all of these initiatives, and they were all taken pretty much at the same time.  So, it seems as though we are coordinating our efforts, which is wonderful.  Let’s talk about CISA and the FBI who were issuing ransomware alerts for holidays and weekends that really ramped up before Thanksgiving and, of course, it continues now.  But obviously during holidays and weekends, people are not generally working, not in the office, et cetera.  We just love to see these warnings.  How common are these kinds of attacks from what you see, Ariel?

Ariel Parnes: You know, the bottom line is that definitely very common.  First of all, we need to look at the numbers in general and just to give you a sense of what is happening with the ransomware because, you know, some people ask, is there a real increase in ransomware?  It’s just higher profile.  And the fact is that between 2019 and 2020, there was an increase of about 62% worldwide in ransomware attack.  But if you look at North America, it was a 158% increase.  And when you look at the first half of 2021, you see that the number nearly doubled, number of attacks.  This is yet another fact and figure that will give us a sense of what is happening.  The collective cost of the ransomware attack reported to the FBI during 2020 increased by more than 200% and the global ransomware cost expected for 2020 is $20 billion.  And just to give us all a sense of the increase in ransomware attack, in 2015, the number was 325 million.  So, from 325 million to 20 billion dollars, this is the general increase in ransomware attacks.  And when we look at this very sensitive periods of time, weekends and holidays and definitely the combination between weekends and holidays, we also see a specific increase in that period of time.  We’ve seen that during May 2021, we’ve seen that during Mother’s Day and during Memorial’s Day.  We, in Mitiga, seen that as well.  And the question is, why is that happening?  So, definitely what happens during these weekends and holidays is that there is less attention and less awareness, smaller groups if at all are there waiting for or defending the different organizations.  And more so, it’s harder to find people and to communicate in the middle of a crisis because of the holidays.  So, there is a direct impact on the early detection and the rapid response.  But even just having a good enough situational awareness of what is happening and an efficient crisis management, all that is reduced or impact by the fact that people are in a holiday.  And this is the best moment for a cyberattack.  So definitely, the attackers are worldly.  They leveraged that.  We see that and I think it was a great thing to do to increase the awareness of the organizations and generals of the public of the sensitivity of this times for ransomware attacks.

John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation?

(00:15:00)

PInow.com is a one-of-a-kind resource for locating investigators anywhere in the US and worldwide.  The professionals listed on PInow understand the legal constraints of an investigation are up-to-date on the latest technology and have extensive experience in many types of investigation, including workers’ compensation and surveillance.  Find a prescreen private investigator today.  Visit www.PInow.com.

[Music]

Advertiser: What could be more important than knowing the facts of your case inside and out?  Case Fleets Powerful Software makes it easy to create a chronology of each case and to track the evidence for each fact.  With an intuitive interface, full text search and built-in document review, Case Fleet makes fact management easy.  Sign up for a 14-day free trial at casefleet.com/DigitalDetectives and get 10% off your first subscription.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network.  Today, our topic is, “Law firms take notice the US is cracking down on ransomware gangs.”  Our guest is Ariel Parnes, Chief Operating Officer at Mitiga.  He is a retired Colonel of the Israel Defense Forces 8200 Cyber Unit where he served 20 plus years in a wide range of roles in the areas of intelligence, information technology, offensive and defensive cyber operations, and cyberwarfare.  He was awarded the prestigious Israel Defense Prize for technological breakthroughs in the cyber field.

John W. Simek: Well, Ariel, the Ragnar Locker ransomware group has threatened to reveal the data of victims who contact the FBI or other authorities, in other words, if they report that they’ve had this ransomware attacks.  So, given the data breach and other laws that we have here in the US, do you think this is going to have any impact at all on whether or not people actually report these breaches?

Ariel Parnes: Well, I think you know when you look at the ransomware attack, in the middle of a ransomware attack and try to understand what is that a decision maker is doing during this crisis.  Essentially, what they are doing is trying to calculate the cost of each alternative, right?  One alternative is to pay.  The other one is not to pay.  And then, you need to estimate the cost with a high level of uncertainty with regards to the different aspects of the cost.  Who is the attacker?  What assets do they have?  Which data do they have?  What are the regulatory implications, et cetera?  What these guys are trying to do is to leverage their position and then thread to have an influence on the equation on their favor.  And the bottom line is that I think that, in some cases, it will have an influence.  But then, what we need to do is to fix it by having influence on the other side of the equation, by improving the Readiness of ransomware attacks so that this threat will be less relevant by increasing the cost of payment and, more so, increasing the value of cooperation with the authorities so that the equation will turn again towards the side of not paying.

Sharon D. Nelson: Well, here’s hoping.  The federal government is now sanctioning cryptocurrency exchanges, wallets and individuals who aid ransomware gangs in converting cryptocurrency, and it strikes us that imposing sanctions may be difficult given the secrecy involved.  We’ve got to do some penetration work here, but it is another attack on the ransomware gangs.  What do you think about this tactic, Ariel?

Ariel Parnes: I think this is a great tactic to add into this multi-layered campaign, and I think it is about following the money, right, follow the money approach and it definitely increases the cost of the attacker because, now, he needs to find another way to get the money and to have access to it and it declares cryptocurrency exchanges.  So, it increases the risk for some of these criminals.  So, I think essentially that this is a very effective step if it is done in a consistent manner and in a broad manner.  Otherwise, it’s just one time.  Then, it doesn’t have any influence.

John W. Simek: Coveware recently published a report that some of the government measures that we’ve been talking about so far today have really been causing the ransomware gang, putting pressure basically on the ransomware gangs, which certainly is the intended impact.  But the ransomware gangs now are doing though is shifting from what Coveware called big game hunting to mid game hunting.  What do you think that’s going to mean for law firms?

Ariel Parnes: Yeah.  So definitely, what we are seeing is a shift towards a different profile of victims but with smaller organizations, smaller tickets but a larger number of these attacks.  And when you look at the law firms, most of them, a large number of them, you can see that as low-hanging fruit for cybercriminals.

(00:20:02)

Because, on one side, they have access or they have storage of very valuable information.  And, on the other side, most of them, not all of them, but most of them have less maturity or less orientations towards security cybersecurity.  That makes the equation of cost versus profit and risk more appealing for cybercriminals, hence, making them potential victims.

Sharon D. Nelson: You may not know the movie ‘Ghostbusters’.  I’m not sure.  Do you know that movie, Ariel?

Ariel Parnes: Yeah, I definitely do.

Sharon D. Nelson: Okay.  Well, in that movie, these three who are busting ghosts that kind of tag line there is, “Who you going to call?”  So, we were very amused on November 16 when a congressional review report effectively said that ransomware victims don’t know who they’re going to call.  So, we’ve seen a shift from calling the FBI Regional Office usually, and it’s Internet Crime Complaint Center to contacting CISA instead, which is very interesting to us.  CISA seems to be gaining a lot more power.  Where is this confusing situation heading?  And who do you think the ransomware victim should contact first?

Ariel Parnes: I think Sharon I’m going to challenge the question, but I want to start by answering that.  I think, you know, I understand the confusion and I also understand that there is a transition here and shift of attention and maybe responsibilities within the system, but if I had to give a very simple answer, you need to call the experts when something’s happening, and the experts, it depends on who you are and who you’re working with could the insurance, your insurance, cybersecurity insurance could be your legal firm that is working with you or it could be an incident response vendor, such as Mitiga or others.  This is the first call that I would recommend you do.  Once you have them with you, they will be able to guide you through the process and connect with the right authorities and regulators and other components of this crisis management that you have to have.  But challenging your question, you know, the question needs to be, why do you want to wait until something happens to call them?  Call them in advance, make sure that you have a plan, a crisis plan, so that when something happens, you know who do you need to call, what’s the phone number and even maybe, you know, have an exercise and tested your readiness.  So, I think you shouldn’t be waiting for something to happen and rather have that call before it happens.

Sharon D. Nelson: We certainly believe in incident response plans and we lecture about that frequently.  But our answer to the question which is a little different than yours, which is fine.  But our answer is always call your data breach lawyer first because the data breach lawyer knows everything about all of this because they do it all the time.  And the data breach lawyer is going to want to be in at the very beginning before you call any of the other people on that list.  And so, that’s our recommendation.  But, you know, good people could disagree on these things and we’ve certainly heard others say, you know, call the FBI or call the digital forensics people first, whatever said.

John W. Simek: I was going to add.  Apparently, everyone agrees though that you’re not going to call the Ghostbusters.

Sharon D. Nelson: Now, that part is true.

John W. Simek: Ariel, last month, the US Financial Regulators, they announced that the banks have to report cybersecurity incidents to Federal officials within 36 hours.  And it looks like there’s going to be some similar timing is going to be imposed on the critical infrastructure owners and operators as well as leading pipeline, rail, air transport companies.  So, the question that lawyers are certainly asking us these days is whether there’s going to be similar requirements imposed on the law firms.  What do you think about that?

Ariel Parnes: Essentially, the answer is yes, and I need to elaborate.  First of all, we already have demand for notification by GDPR Articles 33.  Within 72 hours or if I need to call without undue delay and were feasible not later than 72 hours after having aware of an incident, you need to report to the authorities.  This is specifically for GDPR, and I think what you see in GDPR, what we saw in GDPR a few years ago, what we are seeing now with other regulators in the US, this is a trend and will continue and that’s part of allowing this or supporting this multi-layered campaign.  So, yes.  I think that we need to expect that to happen.  I don’t know if it’s going to be 36 hours, 72 hours, but it doesn’t really matter.  The fact is that we will need to report and react rapidly.

Sharon D. Nelson: We certainly agree with you and I think that’s coming as well in just a question of when and what the hour time limit is.  But we want to thank you so much for being with us today, Ariel.

(00:25:01)

It was fun to discuss with someone who kind of does what we do.  It was fun to discuss some of these issues.  And I think you’re as excited as we are about what we’re seeing on the horizon with this multi-layered approach and a very well-thought-out approach as well.  So, it was just a joy to talk to you.  Thank you so much for joining us.

Ariel Parnes: Thank you.  Thank you, Sharon.  Thank you, John.  It was great being here and talking with you.  It’s a great pleasure.  And I think it’s a very important part of this campaign is also education and awareness and you’re doing that and this is great.  Thank you very much.

[Music]

John W. Simek: Well, that does it for this edition of Digital Detectives and remember, you can subscribe to all the additions of this podcast at LegalTalkNetwork.com or an Apple podcast.  If you enjoyed our podcast, please rate us.

Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics, Technology and Cybersecurity Services at scnscient.com.  We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network.  Check out some of our other podcasts on LegalTalkNetwort.com and in iTunes.

[Music]

(00:26:11)

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders and subsidiaries.  None of the content should be considered legal advice.  As always, consult a lawyer.

Podcast transcription by Tech-Synergy.com