We have all seen a wave of ransomware attacks in the news as of late. For those who are unfamiliar, ransomware is a type of malware that threatens to publish, destroy, or block access to the victim’s personal data unless a ransom is paid. The ransom is usually paid to these attackers through cryptocurrencies like Bitcoin, impairing the ability to trace the transaction back to the perpetrator. Targets of all sizes, such as the Colonial Pipeline, McDonalds, the University of California, all the way down to dental practices, have fallen prey to these attacks. No one is immune.
So could you be next? And what can we do to prevent these attacks from happening to us? On Lawyer 2 Lawyer, host Craig Williams is joined by Thomas J. Holt, director and professor in the School of Criminal Justice at Michigan State University.
Thomas J. Holt: The protocol is if you think you’ve received a questionable email, in other words, don’t click on anything, don’t respond to the individual sender, just either spam or delete it from your folder and move on. Because the second you start interacting with it, that’s when the risk of infection increases dramatically.
Intro: Welcome to award winning podcast Lawyer2Lawyer with J. Craig Williams bringing you the latest legal news and observations with the leading experts in the legal profession. You’re listening to Legal Talk Network.
J. Craig Williams: Welcome to Lawyer2Lawyer on the Legal Talk Network. I’m Craig Williams coming to you from Southern California. I write a blog named May I Please the Court. I have two books out titled How to Get Sued and The Sled. Well we’ve all seen a wave of ransomware attacks in the news as of late. For those who are unfamiliar, ransomware is a type of malware from crypto virology that threatens to publish the victim’s personal data or block access to it unless ransom is paid. The ransom is usually paid to these attackers through cryptocurrency like bitcoin so it’s harder to trace back to the perpetrator. In a recent interview with Yahoo Finance Live, John Chambers, former CEO of Cisco Systems shared that the United States companies are expecting to endure over 65,000 ransomware attacks this year and that’s a conservative number. Targets of all sizes such as Colonial Pipeline, McDonald’s and the University of California all the way down to small dental practices have fallen prey to these attacks. No one seems immune. So could you be next and what can we do to prevent these attacks from happening to us? Today on Lawyer2Lawyer we’ll be discussing ransomware attacks, cyber-crime prevention and what to do if you, your firm or your company become a target. And to do that we’ve got a great show for you today. Our guest is Thomas J. Holt. He’s the director and professor in the school of criminal justice at Michigan State University. His research focuses on computer hacking, malware and the role of the internet in facilitating all manner of crime and deviance. His work has been published in various journals including Crime and Delinquency, Deviant Behavior, The Journal of Criminal Justice and Youth and Society. Welcome to the show Tom.
Thomas J. Holt: Thank you for having me. I appreciate it.
J. Craig Williams: Well tom before we get started into the detail of ransomware attacks, can you just kind of give us a general overview of what ransomware is and how it affects computers?
Thomas J. Holt: Sure. Ransomware is a kind of malicious software and it works by encrypting files on the system itself. So if you wind up getting a piece of malicious software like ransomware installed on your computer, it will systematically encrypt every file on the system and it will not give you access to the decryption key until the individual operating the malicious software receives payment. So at that point, they then provide the decryption key through the system to unlock all of your files. So essentially you have to pay for access to the content on your device.
J. Craig Williams: Right, and there’s no guarantee then that even if you do pay that you’re not going to get attacked a second time, is that correct?
Thomas J. Holt: That’s true. Many ransomware actors seem to move on once they’ve hit a target once. There doesn’t appear to be a tremendous amount of repeat business but they can do different things with your system after the fact. Once they’ve been inside they may have established a back door or revisit for other purposes aside from ransomware.
J. Craig Williams: So who are usually the victims or targets of these ransomware attacks?
Thomas J. Holt: It’s evolved over time. Initially it started with attacking individuals, the home computer user and once they found that individuals were willing to pay the volume of attacks increased and the target set increased from there and it started going from individuals to small businesses to for some reason hitting a lot of law firms during a period of time and now it’s more from the small to medium business community to essentially high value targets. From hospitals to educational institutions to like we saw most recently, Pipelines and a meat processing plants, virtually anything.
J. Craig Williams: Could it also be prompted by nation-state and used in a state of war to basically shut down as we found out our pipeline systems, our electrical grids, our water systems, I mean how bad can this actually get?
Thomas J. Holt: It could be very bad. To date, the only instance that I’m aware of where we’ve seen ransomware used by a nation-state and it wasn’t particularly effective but you might recall the WannaCry ransomware from a few years ago that appears to have originated from North Korea. So that was an example of a nation-state mostly seeming to engage in the attack for financial purposes. But Russia has also utilized a tool called NotPetya and NotPetya essentially is called that because it’s like a piece of ransomware called Petya but it doesn’t actually decrypt the files after the fact.
It just basically bricks the whole computer.
J. Craig Williams: And by bricks you mean it’s completely unusable? Won’t even turn on?
Thomas J. Holt: Correct. Essentially the system is broken beyond a state of repair.
J. Craig Williams: Time to buy a new computer. So beyond the nation-states and hackers, who’s behind these things?
Thomas J. Holt: By and large it seems to be hackers who are motivated by money. They realize the people are going to pay to get their files back. It’s imperative in most cases for the individual that they get the photos or videos or whatever content is on their device back so they’re willing to pay. Some people who’ve got very recent backups, if they were to be affected may not necessarily pay just because they know that they have a resource they can go to that will pull up virtually everything they had stored. But in corporate environments, that’s where it’s much more difficult because the systems that can be affected might be mission critical for either payment processing or customer records or material that you need access to immediately. And so when that happens, that’s when there is a huge problem that requires payment because there’s very little other way to get access to those materials again.
J. Craig Williams: So what can companies do to protect themselves against this? Are there standards out there?
Thomas J. Holt: To date, there are some tools that can be used but it seems like most ransomware operates through phishing emails because by and large the individual user is the hardest target to secure. You can have antivirus on a system. You can have good firewalls in place but if you can get one email through that an individual in the environment is willing to click on and then it executes the payload of the software, then all bets are off.
J. Craig Williams: So it’s a true wet wear problem?
Thomas J. Holt: It is to a large extent. And so some of the most important things to do at the moment are to provide very clear education to your employees about what they should be looking for in terms of questionable emails. When they should report getting something. What the protocol is if you think you’ve received a questionable email. In other words, don’t click on anything, don’t respond to the individual sender. Just either spam or delete it from your folder and move on. Because the second you start interacting with it, that’s when the risk of infection increases dramatically.
J. Craig Williams: I’ve gotten as an attorney some emails from other attorneys that I know allegedly sending me settlement documents. I don’t have an active case with that attorney and I shouldn’t be getting settlement documents from that. Should I respond to the attorney? Advise him that that he’s got — he’s been hacked or what should I do with that that email?
Thomas J. Holt: In most cases if you don’t know the individual sender, I would not reply. The problem with a lot of spam email or unsolicited email especially if you know I’ve had no business with this person before is that it will essentially call to the operator, “Hey, there is a live person behind this email address.” If you never get a response, well then we’ll move on to another target that will interact with us. But if it seems like an email address that actually corresponds to an attorney is being used, the email address in and of itself is insufficient. That can be spoofed or faked by a sender in order to make their email appear legitimate. And you see this quite a bit not only with ransomware but with another more recent problem sometimes referred to as business email compromise where attorneys — you see this to some extent in real estate where large amounts of money need to move quickly from one person to another or from one account to another. And so if you can fake that account and make a request for either a settlement or for an escrow payment or something else, then you can make that transaction happen quickly. The individual managing the account where the money is sent, the cyber-crime offender in this case is going to take those funds and move as fast as they can away from you as the victim.
J. Craig Williams: So one of the keys here is go slow and pay attention?
Thomas J. Holt: Absolutely. Anytime someone is screaming at you that this is an immediate reply needed, take a step and a deep breath and say, “Who is this? Why are they asking for it and why does it demand immediate attention? Is it real or is it questionable?”
J. Craig Williams: And there also seems to be a lot of emails coming at me that say, “We want to pay you money” and it’s seemingly from another attorney or from some bank that appears to be reputable. Likewise, another email to stay away from, right?
Thomas J. Holt: Correct. Phishing emails, the ransomware emails, business email compromise, all of them are of a similar cloth where it’s all about getting some type of immediate response. Linking it to money makes it much more likely they’re going to respond and if they’re asking for sensitive details like your bank account or routing numbers or other material that’s sensitive info that you have to ask, “Why would i give this away?”
J. Craig Williams: So let’s assume that it happens, hackers send you an email and they name a price for ransom. What steps do you take?
Thomas J. Holt: If the infection is active and your files have been encrypted, and let’s just say for the sake of argument it spreads through your network and you’ve got 10 computers that are down. The most important thing to do would be to contact law enforcement and be ready to make a payment. I say that because there’s — for a long time there have been questions about whether it’s right to pay or whether it’s the appropriate thing to do? But by and large if you don’t have recent backup of data to go to, you don’t have a lot of other options. And there are companies that will negotiate ransoms with the ransomware actors, criminal groups involved because they want some kind of payment. You might not be able to provide them with you know, a hundred thousand dollars if that’s their asking price but if you can give them something, they’ll probably be inclined to decrypt your files. So it’s not always a set price. There is the potential for talking down the amount but it is something that many agencies, many companies have had to grapple with is the fact that yes, we’re going to have to pay these people.
J. Craig Williams: And recently in the case of the Colonial Pipeline matter, I believe that the FBI got some of the payment back.
Thomas J. Holt: That’s correct, and this is one of the few instances that I’m aware of where the funds were actually able to be recuperated by law enforcement. In many cases, it’s just been considered a loss. If you look at some cyber insurance policies that a company may have, the ransom could actually be part of the settlement. So when you make the insurance claim, if you had a 200,000-dollar ransom to pay, that could just be lumped into the overall settlement that you make with your insurance provider.
J. Craig Williams: That’s an interesting point. Let’s talk about that insurance. Is that the kind of insurance you would expect to get on a regular and everyday business insurance policy or is it a specialty policy that requires you to flag it and say, “I need this kind of coverage.”
Thomas J. Holt: Oftentimes it’s something that may not be provided by every single insurance provider, but if you’re dealing especially in mostly digital materials that are heavily sensitive and dependent on careful protections and their loss could have demonstrable harm to you or your customers, then it’s worth exploring. Often you hear of cyber-attack insurance being used by larger companies or at least by medium or larger enterprises. As an example, in Lansing, Michigan where MSU is located. The board of water and light was hit with a ransomware attack and I don’t recall the exact amount paid but their eventual insurance claim was almost two million dollars. And so it is the kind of thing that a company or an entity of some type can get, but it does require some very careful review. The kinds of things that are required by those policies may also be beyond some small and medium businesses wherein you have to ensure that you’ve taken a degree of security audit to comply with various standards that you’re updating at different times. So there’s varying aspects of those policies that may or may not be feasible depending on the size of your entity and the types of IT management you have at your disposal.
J. Craig Williams: I see that Windows 10 has recently integrated antivirus and ransomware protection. Is that sufficient? What more needs to be done?
Thomas J. Holt: It’s a very good start. Anything that will help automate the process to some degree of protection is important. And with ransomware, it is a millisecond kind of difference that can matter. So when a person goes through that email and activates a link or downloads a specific tool or executable, you may have milliseconds before it activates and installs. And so that can be a useful mechanism. But again, the biggest challenge is going to be making sure that your human users in the environment know what to look for and know when not to interact with an email or some other materials.
J. Craig Williams: What kind of things should companies put in place to protect themselves against ransomware? Are there pieces of hardware beyond training employees?
Thomas J. Holt: So up-to-date cyber security tools are very important. Again, some of this may be dependent on the size of your company or whatever sort of organization you work for. So in an enterprise where you can have very strong firewalls at your border and you might have an intrusion detection system in place, or at least something that can tell you the general flow of traffic in and out of your network. Those are all going to be important tools to help long term in the identification of not only active ransomware but hackers who are moving through your network. So as an example, if your normal business day is nine to five, and you’ve got an odd IP address logging in from 1:00 am to 5:00 am.
Why is that — is anyone working off-site? Is there any reason for this traffic? Because if not, then it’s time to start blocking and doing some investigation. So those are some reasonable tools that can be implemented. A good intrusion detection system can help but it does not necessarily mitigate the problem. Good spam filtering is helpful and that can at least block some types of content by policy. So as an example, blocking executables gives you the ability to minimize the risk of malicious software like ransomware just moving right through the network to your end users.
J. Craig Williams: What should small to medium-sized law firms do that don’t have that kind of capability?
Thomas J. Holt: If you’re outsourcing your IT infrastructure, particularly your cyber security infrastructure. Educating yourself and your employees is worth the investment because that will make them harder in terms of the likelihood of responding to different threat emails. Having them aware of what a questionable email looks like and how to detect something that’s real versus something that’s fake is very important. If you are outsourcing, there are less expensive options for remote management. There are companies now that will do essentially third-party intrusion detection system monitoring. So that’s helpful. But if you’re doing it all by yourself or if you have one IT person, the most important things to do up front are to make sure that you’re regularly updating all the critical software that you use and you’re regularly backing up all the data that you have as well. So that way, your last backup wasn’t six months ago if you get hit with ransomware perhaps it was a week ago. Having those kinds of standards in place gives you a little less dependency on risky data storage or data retrieval in the event of a problem.
J. Craig Williams: It seems now like most data has moved from internal servers and law firms to the Cloud. Do law firms need to really worry about this if all of their data is up in the Cloud?
Thomas J. Holt: If it’s in the Cloud, the risks are a little bit different and I say that only because if an attacker has a foothold in your environment, if they’re able to obtain usernames, passwords, credentials for different aspects of your network and that includes your remote access points. They can very easily start downloading those files, getting access to materials. So it’s imperative that you think about your whole environment inclusive of the Cloud. Because realistically Cloud accounts are only as secure as the usernames and passwords that protect them.
J. Craig Williams: Sounds like we need password managers. Which should we be looking for there?
Thomas J. Holt: There are a range of different password managers. I can’t really give anyone more of a thumbs up or a thumbs down. They’re useful. They certainly have value but it also introduces some problems wherein if you’ve got say a 25-character string password that you can’t remember and it’s just stored in your browser, in the event your computer crashes or something else and some of those passwords are gone, you’re going to have to go through and cycle up a bunch of new passwords. So they’re helpful having a written backup somewhere independent of your devices. It may be practical. I realize not everyone is supportive of written passwords, but in the event you’ve got some very long ones that are harder to remember, it is an option.
J. Craig Williams: Is this ever going to go away or is it something that we’re going to be looking at for a long time to come?
Thomas J. Holt: Ransomware has been around forever now. It feels like ransomware has evolved over the last decade and has now just more from hitting individuals to hitting corporate enterprise environments because they know, again, people will pay. So the tools themselves have evolved slightly. I don’t think it will ever go away. We will just have some new iteration of this problem. That’s really the biggest issue with any type of malicious software. They last for a long-long period of time and they’ll only be supplanted by the next really new and novel innovations. So we went from having bot nets as a familiar and common form of cyber-crime in the early 2000s through to essentially the end of the decade where remote attacks were being performed through sort of managed computer networks of infected systems. Eventually they were easy to detect and there are a lot of management on the part of the attacker. And so they’ve tried to find other ways to monetize and use the software at their disposal to engage in attacks. So ransomware’s really gotten a foothold because they’re easy, they’re effective and they generate quite a bit of revenue for the attacker. So there will be some new thing, it’s just unclear what that is at the moment.
J. Craig Williams: And should we look to our federal government to be protecting us to this or should we just really start air gapping all our computers and unplugging from the internet from time to time?
Thomas J. Holt: Well, I am hopeful that we will get some better guidance in the near term certainly with transitions within DHS.
An important emphasis on cyber security across the board. I think unfortunately the Pipeline ransomware incident was a watershed moment that coupled with the incident from the December 2020 period which is again one of those attacks where we don’t know the full scope of harm but we do know that it was dramatic and it affected virtually all of government. And so these are the kinds of incidents that I think are going to prompt some attention on the part of the federal government to improving the qualities and quantities of cyber security that are available to small, medium and large enterprises. But at the end of the day, it’s always going to be a question of how do you best secure your resources because what you use may be different from an attorney just down the road for whatever reason. So if you’re using Macs and they’re using PCs, you’re automatically going to have some variations in what security tools you use or what protocols you might have to implement. So those variations just in terms of our software and hardware preferences also make it difficult to use a one-size-fits-all option.
J. Craig Williams: Great. Well Tom, it just looks like we just about reached the end of our program so I’d like to take this opportunity to invite you to share your final thoughts and your contact information so our listeners can reach out to you.
Thomas J. Holt: Sure. The most important thing from my perspective is that you read up and understand what your own environment looks like and what you can do to better defend it. There are a lot of basic things that people can do in terms of cyber hygiene that are very effective at reducing overall risks for different types of attacks. Effectively think of cyber security like brushing your teeth. If you don’t brush your teeth, you’re going to get cavities, you’re going to have expensive dental bills. If you don’t take basic steps to secure your network environment, you’re going to have very expensive damaged bills when an attack happens. And that’s one of the biggest problems is that it is always a question of when, not a question of if when it comes to cyber-attacks against different infrastructure. So if anyone has any questions or concerns or if there’s something that I can address for you, you can reach me via email. My email address is [email protected] or if you’re on Twitter you can reach me at cybercrimeprof.
J. Craig Williams: Great. Thank you very much Tom. It’s great having you on the show.
Thomas J. Holt: Thank you for having me. I appreciate it.
J. Craig Williams: And for our listeners, if you like what you heard today please rate us on Apple Podcasts or your favorite podcasting app. You can also visit us at legaltalknetwork.com where you can sign up for our newsletter. I’m Craig Williams. Thanks for listening. Join us next time for another great legal topic. Remember, when you want legal, think Lawyer2Lawyer.
Outro: Thanks for listening to Lawyer2Lawyer produced by the broadcast professionals at Legal Talk Network. Subscribe to the RSS feed on legaltalknetwork.com or in iTunes. The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.
Podcast transcription by Tech-Synergy.com