Anyone reading this article has likely heard the term “ransomware” and may even have a basic understanding of the concepts related to it. What many fail to recognize, though, is that understanding the risks ransomware poses to your firm and your clients is part of your professional obligation, which calls for more than a basic understanding of such concepts. Any lawyer collecting and storing client data should know enough about ransomware to account for it and address it appropriately.1 Moreover, firms (and their clients) should understand the types of organizations that bad actors might target, the true cost of a ransomware attack, and preparing for and responding to an attack.
RANSOMWARE AND HOW IT IS INSTALLED
The United States Cybersecurity and Infrastructure Security Agency defines ransomware as a “form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.”2 This may be the type of ransomware with which most people are familiar, but ransomware can also include locking the user out of a particular application; locking the user out of a device or devices; or extracting sensitive data, which is typically coupled with a threat to release it publicly.3 In all of these cases, the malicious actors demand payment to permit the victim to access the locked files or devices or avoid public release of sensitive information. Sometimes, this scheme results in double extortion where bad actors demand payment for both access to the infected systems and avoiding public release of data.
Like other forms of malware, ransomware must be installed on a target system. There are several ways in which an installation might occur:4
- Phishing: While a full discussion of phishing is outside the scope of this article, it is worth noting that ransomware is regularly installed by a legitimate system user clicking on a bad link or opening an infected document in what appears to be a legitimate email.
- Infected websites: Ransomware can be downloaded by visiting a malicious or compromised website and may not require any additional action by the user.
- Network vulnerabilities: Failure to properly configure, patch, or update network devices, operating systems, and applications can leave the (virtual) door open for bad actors to install ransomware.
- Prior malware infection: In some instances, ransomware may sit idle on a system for days, weeks, or months before activation. This rogue software may be installed as part of a prior attack and left behind to infect other systems or even backup drives.
- Legitimate third-party systems: In many ransomware attacks, the victims find their systems were infected when a third-party service provider failed to properly protect its network.
A would-be hacker need not be a computer expert capable of creating and installing ransomware on a target system. Indeed, ransomware attacks have become more common in the last few years due, at least in part, to the advent of ransomware as a service (RaaS). Like legitimate software as a service, RaaS vendors provide the code and operational infrastructure necessary to launch a ransomware campaign. As compensation for its services, the RaaS vendor either takes payment up front or a percentage of the ransom.
RANSOMWEAR TARGETS: ORGANIZATIONS OF ALL SIZES SHOULD BE CONCERNED
Recent high-profile ransomware attacks have been covered by the media. What is believed to be the largest ransomware payout in history ($40 million by CNA Financial) occurred in May 20215 and most readers are likely aware that Colonial Pipeline paid hackers $4.4 million around that same time.6 Those outliers are merely brushstrokes on the larger painting. More than 4,000 ransomware attacks occur daily in the U.S. alone and estimates suggest a ransomware attack may occur every 11 seconds.7 What should concern readers most, though, is that the average ransom demand has increased from $5,000 in 2018 to more than $220,000 in 2020 and $300,000 in 2021 with a median payment of around $78,000.8,9
Modern ransomware attacks tend to target organizations that need immediate access to their systems to continue operations. Attacks on tech-driven, industrial firms such as Colonial Pipeline are becoming more common. In January 2021, an attack forced WestRock packaging company to shut down 300 plants.10 In March 2021, MillerCoors was unable to access systems that controlled production and shipment.11
Law firms, of course, are not immune. To the contrary, law firms of all sizes are prime targets — the professional services industry made up nearly 25% of ransomware targets in the first quarter of 2021.12 Healthcare was a distant second at 11.6%.13 Research suggests attackers consider the ideal ransomware victim to be a U.S.-based company with more than $100 million in revenue outside of the education, healthcare, government, and non-profit sectors.14 But those companies are not the most common targets. Companies with 11 to 1,000 employees make up 68.1% of ransomware targets because they “often don’t have the financial or technical expertise to properly handle the incident or perform the proper remediation required to prevent a repeat attack.”15
THE TRUE COST OF RANSOMWARE ATTACKS
Businesses must recognize the true cost of an attack is far greater than the ransom paid to bad actors. Some may think the cost to prepare for and defend against an attack could outweigh the ransom itself. After all, the costs of employing or consulting with a security expert, updating hardware and software, and training employees can be quite high. But consider the following:
- The cost of disruption and downtime can be “almost 50 times greater than the ransom demand.”16
- The cost of a forensic investigation (which is likely necessary regardless of whether the ransom is paid) averages approximately $74,000.17
- When data is recovered, it may be incomplete or inaccurate.18
- Customers, clients, vendors, suppliers, and other third parties whose data was lost, locked down, or improperly disclosed may seek damages from the ransomware victim.19
- Recent statistics indicate that only 8% of the organizations that pay a ransom recover all their lost data.20
- Reputational harm, which can be difficult to quantify, must also be considered.
While it may be tempting to consider avoiding costs necessary to properly prepare for a ransomware attack with the assumption that a cyber-insurance policy will alleviate the losses associated with an attack, victims of ransomware attacks still incur the costs of security consultations, system hardening, and training after an attack.
PREPARING FOR AND RESPONDING TO AN ATTACK
While it is impossible to provide absolute security against a ransomware attack, there are best practices an organization can take to minimize both the likelihood of a successful attack and the damages associated with an attack.
Security Training
As with most cyber-related events, the first line of defense against ransomware attacks is those inside the organization — the people who open emails, surf the web, and plug in flash drives. Proper training is critical to help employees identify phishing attempts, avoid harmful websites, and set up proper access controls like strong passwords and multifactor authentication. Third-party vendors can provide cost-effective, non-intrusive (and sometimes entertaining) security training tools for organizations of all sizes.
System Hardening
While most attacks are successful because the ransomware is installed by an insider, some attacks occur through improperly configured or out-of-date systems. Best practices to keep these systems secure include updating device firmware, updating software, setting up proper access controls including multifactor authentication, and regularly patching systems.
Business Continuity and Disaster Recovery Planning
Every organization, no matter the size or industry, should have a business continuity and disaster recovery (BCDR) plan. A formal policy document is ideal — and in some cases, required — but at a minimum, a proper planning exercise provides an organization with insight into both its critical business functions and the data it stores, where that data is stored, and how it is secured. Upon completing a BCDR plan, the organization can ensure that its operations will continue during a ransomware attack and potentially avoid paying ransom by using backup systems.21
Incident Response Planning
Like a BCDR plan, an incident response plan is critical for responding to an attack. An effective incident response plan identifies key stakeholders in the response process and defines the actions those individuals should take including (but not limited to) when and under what circumstances the organization should contact the authorities, its insurance carrier and/or counsel, forensic investigator, and/or the media; the identities and contact information for those third parties; necessary internal steps for immediately avoiding further damage; and any other procedures the organization deems appropriate. The incident response plan should provide a step-by-step guide to allow stakeholders to act quickly and effectively in a high-pressure situation.
Contractual Considerations
Aside from technical planning, organizations should review contracts with an eye toward possible ransomware attacks on either party and whether liability should be shifted or excluded as a result. Specifically, review force majeure provisions and whether cyberattacks should be listed as an event type while considering the likelihood of such an event based on the industry. Consider whether the agreement should include a separate cyberattack clause defining the rights and obligations of the parties in the event of an attack.
CONCLUSION
With proper training and preparation, most organizations can stop ransomware attacks before the malicious software is installed on its systems. With proper planning and appropriate policies and procedures, the damage caused by successful attacks can be substantially reduced.