The Recent Spate of Law Firm Hacks, Explained
At least five law firms have been the victims of Maze ransomware in the last month. The hacking group Maze uses phishing techniques to sneak ransomware into law firms' systems. They steal and then encrypt the firms' data. The hackers then threaten to release sensitive client information if payment is not received immediately.
Somewhat unique, however, is the hacking group's method of “proving" they have stolen the data. They create a website (on the clear web, so anyone can access it) and release parts of the stolen data. If payment is received, the hackers say, they will remove the name and information from the publicly accessible website.
Maze began targeting U.S. organizations in November. While it is not clear how many the group targeted, it is clear from the number of incidents already reported that law firms are a primary target. Other victims include the City of Pensacola and the wire and cabling firm Southwire.
According to the FBI, Maze uses multiple methods for intrusion, including posing as mock cryptocurrency sites and running spam campaigns impersonating government agencies and well-known security vendors. The ABA also has coverage.
Phishing
The group poses as a legitimate business or government entity, asking an employee or contractor with access to a secure system to download software. Once installed, the software steals sensitive client information and then encrypts the data, rendering it inaccessible. The software can be transmitted through various innocuous methods, including PDFs, Word documents, ZIP files and Excel spreadsheets, according to the cybersecurity firm Emsisoft.
The FBI began warning private sector industries about the group at the beginning of the year, and has issued guidance for chief information security officers on how to prevent this type of malware.
Prevention the Best Defense
Avoiding the ransomware starts with secure systems and employee training. It is important that everyone at the firm understand phishing techniques and when to avoid opening email attachments that look suspicious. For example, emails that suggest a matter is extremely urgent and an attachment must be opened immediately should be viewed with extreme skepticism.
Other tips include:
- Do not enable macros. Macros can save time by repeating automated tasks. However, when you enable macros you risk allowing dangerous code to run on your computer. A hacker can use a macro to spread the ransomware or other malware into your system.
- Use multi-factor authentication when signing on to a system, particularly from a remote location.
- Back up data. Because Maze ransomware encrypts data, it is impossible to access. In fact, many ransomware attacks simply encrypt data and ask for payment for the decryption key. However, not all backups are secure from ransomware. Emsisoft recommends storing at least one copy of sensitive documents and data at an offsite location.
Legal Obligations
When sensitive client information is exposed in a data breach, you may have the legal obligation to notify your clients. The FBI does not recommend paying the ransom. For one, it seems unlikely that hackers would voluntarily get rid of information that has already proven valuable to them.
The FBI is continuing to investigate. Meanwhile, law firms might want to take this as a good reminder to update all employees about suspicious emails.
Related Resources
- One in Four Law Firms Have Experienced a Security Breach (FindLaw's Technologist)
- How to Keep Your Wireless Network Secure When Working From Home (FindLaw's Technologist)
- Pennsylvania Supreme Court Says Suspect Can't Be Forced to Provide Computer Password (FindLaw's Technologist)