Phil Limb and Marianne McWilliams from Miller’s Solicitors team recently spent time with Nic Miller of Aedile Consulting to discuss the cyber threat landscape for law firms. In the second of our four-part series, we discuss ransomware and the CTS attack.

Why should law firms be concerned about ransomware? 

There’s been a huge rise in ransomware attacks over the last few years. This is where cyber-criminals will launch more technical attacks designed to encrypt a firm’s computers and everything on it to stop that company being able to do anything.

The criminal then approaches the firm to say “we've got complete control of your IT systems and you need to pay us £250,000 if you want them back”. These attacks are incredibly commonplace. They make the news occasionally when it happens to a big firm, but they are happening day in / day out to small, medium and large sized firms.

As firms have started to get better protected against this risk by having backups and other procedures in place, the attackers have evolved their tactics and now also steal a copy of all the firm's data before they encrypt it. So then they'll say, “OK, we've got control of your IT system, if you want to wipe it all and rebuild it and feel like you don't need to pay a ransom that's fine, but we're going to release all of your sensitive client data and publish it to the web. Again, the cost to stop us doing that is £250,000”.

Real ransom figures can vary depending on the victim, but typically they’ll be in the tens of thousands and upwards into the millions, depending on the size of firm and how much leverage the criminal groups think they have.

Attackers will be attuned to the size of their targets and base ransoms requests on this data. There are multiple examples of attackers using companies own financial documents to justify their ransom demand. One insurer has started encrypting the cyber policies it sends out as an attacked firm tried to claim they couldn't afford the ransom, and the criminal group sent a copy the firm’s own cyber policy and said “yes, you can”.

Other than financial extortion, how else can a ransomware attack impact a firm?

Firms typically underestimate the impact of a major data breach. A company-wide ransomware attack might well affect every single piece of data a company holds. That means every single customer, client and vendor the firm works with has had their data breached. The amount of time that companies then need to invest in remedial work is far larger than many have planned for. Breach notifications to clients, triggering contractual requirements to notify other firms of the breach, and dealing with any potential litigation or other issues that can arise from that, can easily take months or even years to resolve. 

From a technical perspective, recovering from the attack also takes much longer than many firms anticipate also. The problem is that ransomware attacks are typically launched using privilege access to your network where they have administrative control of key systems for some time before the attack begins. So it's not simply the case of undoing the attack because if you restore your systems to what they look like the day before the ransomware attack took place, you've restored it to a point where the attacker still has complete control over your network.

You have to go back all the way to figure out how they've gotten in, how they've taken control, what accounts they've gotten access to, and you need to be able to undo all of that before you can even begin to restore, because otherwise all you simply do is you restore your data and the attacker just comes back in and re-encrypts it and then doubles the ransom demand for wasting their time.

On average, how many firms that pay the ransom, get back control of their data? 

I've heard various statistics, but I don’t know how reliable those figures are. Broadly, my understanding is that obviously there are no guarantees, but ransomware groups operate a business model, which is if you pay, you get your data back.

It is worth pointing out that the organisation and sophistication involved with these groups speaks of the wider professionalising of cybercrime. There are still some people doing it for fun, but mostly, this is now a professional industry. The big cyber-crime groups have HR teams, and even help desks for firms who have been encrypted to call up and get taken through the process of how to pay the ransom. This surprises people the most, but this is their job and they do this day in, day out and they make a fortune out of it.

Different cyber-criminal groups also operate different models. Some operate what's called ransomware as a service, whereby they build the tool and then license it to attackers and take 10% of whatever they earn. Others are more like a franchisee model where they train others how to carry out an attack. There’s also groups that focus on getting the initial foothold into a firm - they’ll hack someone’s computer, get someone's credentials for VPN and carry out the legwork that often takes lots of time – and then sell that access data to others who will go and carry out the attack.

There isn't a single way of making money from it anymore, which makes it a threat to all companies. 

It must be really difficult to know what to do if you haven't got an insurance policy behind you and you face one of these messages. I'm thinking about sanctions as much as anything because firms still have those responsibilities, before they can pay any ransom over.

In the US, you are starting to see a shift towards saying it's going to be illegal to pay some ransoms, but it's difficult. There are people who say you should never pay, however if you're in the position where your sensitive client data will be leaked, and that data would significantly impact people's lives, you have a duty in some ways to do everything you can to prevent it. Now, technically that duty should have extended to protecting it properly so that it wasn’t stolen in the first place, but that duty doesn’t end because it has been lost. If you have another opportunity to help prevent its public leaking, in some ways, you could argue that is actually the greater moral objective, which is to limit the harm done. 

I think it exposes companies to a lot of really difficult ethical dilemmas, legal dilemmas and contractual issues. In how many of your contracts do you have to disclose security breaches? When was the last time you went through your contracts and determined who you had to tell in the event of a breach? Would you be in breach if you don't disclose it? What regulators do you need to tell?  If you've got staff or client data from around the world that's been impacted, you might have to notify privacy regulators all around the world.

They're horrendous situations to be in, and actually one thing we don't talk about is the mental health impact it has on people. There have been some horrible cases where the person that clicked on the link, or the person that fell for the original social engineering, blaming themselves and it isn’t their fault in any way. If an attack happens, your firm has a bad security strategy. But the impact on those people is huge sometimes.

Is it too early to know what's happened with CTS?

There hasn’t been a huge amount publicised yet as to what happened in the case of CTS. It certainly looks like it fits the hallmarks of a ransomware attack, and managed service providers are known to be targets for that. The length of the outage and the problems they have been facing certainly speaks to some level of probable extortion attack, whether that be ransomware or something else.

If you have any further questions about anything discussed in this article, or wish to discuss your cyber insurance arrangements, please email or contact any of the team below.