One of the major themes of the Predictions for the Legal Profession for 2015 – Part 1 and Part 2 from the 25 thoughtful contributors was the increasing focus on security for law firms for 2015. Perhaps Sharon Nelson, a lawyer and President of Sensi Enterprises Inc, a digital forensics, information security and information technology firm in Fairfax Virginia, put it best when she said:
“Cybersecurity is now universally the chief worry of large firms. We have already concluded that we cannot keep determined intruders out. “
I am aware of several law firms that have been hit by the Crypolocker or Cryptowall ransomware malware. These ransom Trojans enter your system and begin stealthily encrypting all files that they can locate. Finally one day you enter your office only to be met with a message similar to this on your screen:
The ransomware then demands payment to de-encrypt your files in Bitcoin within a very short time frame (too short to use brute force attacks to break the encryption) and if payment is not made within this time frame, it vanishes from your system – leaving your files fully encrypted.
PCWorld stated, quoting CTU Reseachers:
“Between mid-March and August 24, 2014, nearly 625,000 systems were infected with CryptoWall,” the CTU researchers said. “In that same timeframe, CryptoWall encrypted more than 5.25 billion files.”
The largest number of infected systems were located in the United States—253,521 or 40.6 percent of the total. The next most affected countries were Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.
How does it enter into your system? Typically these Trojans enter by way of an attachment to an email message that appears to be sent by a legitimate company. It is a disguised executable file and it installs itself and adds a key to a Windows computer that causes it to run on startup. From here it contacts one of many command and control servers that generate a very large encryption key pair. The public key is sent to the infected computer and uses these keys to encrypt as many local and networked files that it can find (per Wikipedia: https://en.wikipedia.org/wiki/CryptoLocker).
The firms that do not pay the ransom gave up on their data or – the fortunate ones – were able to restore their system from a cloud-based backup that was not attacked by the Trojan.
Accordingly, we can learn from someone’s unfortunate experience by creating a backup that (we hope!) will be immune from such ransom exploits.
How have the firms done this that survived the attack?
They had cloud-based backups that were not continually connected to the office servers. In other words, they made periodic backups that were ‘versioned’ and as such, the firm was able to go back to a date prior to the infection and at least restore their data as of that date.
It may have been of assistance that the files were also stored in encrypted format by the cloud backup service. If the files are not of a format recognized by the ransomware, they are not encrypted. Furthermore the cloud-based backup was not recognized by the ransom Trojan.
One cloud storage and backup service that may protect your files against such a threat is Spideroak (note that we say may protect – we make no assurances in this regard and each reader is recommended to check with their IT and security expert to determine how best to guard their systems against these threats).
Spideroak (https://spideroak.com) is a zero-knowledge backup and storage service. That means that the Spideroak servers never know the plaintext contents of the data you are storing (most importantly they are not stored in Word or other common formats!). Furthermore only you have the key to de-encrypt your data (you can’t ask Spideroak to reset or provide this for you..they don’t know it) and they don’t know your password either. They can’t reset that for you, either.
These days, when it comes to your precious law firm data, it is reassuring to know that at least someone has your back.