Protecting your files from ransomware extortion

  • March 01, 2015
  • James Careless

Ransomware is a law firm’s worst nightmare. When a ransomware virus gets into a computer system, it encrypts all of its files – thus cutting the firm off from all of its computer-stored information.

“The data owner is then prompted by the ransomware software to pay a ransom -- often in encrypted currency known as Bitcoin – within a certain time period; usually a couple of days,” says David Whelan, the Law Society of Upper Canada’s Manager of Legal Information. “Payment results in a decryption key. No payment means the files remain encrypted and inaccessible.”

Paying the ransom is no guarantee of receiving a decryption key. Some ransomware extortionists take the Bitcoins and run, leaving their victims cut off from their files.

All law firms are vulnerable to ransomware attacks. But solo practitioners and small firms generally lack the level of IT support available in major law practices, meaning that they can be less prepared to guard against and recover from ransomware attacks when they occur. And these attacks are taking place in Canada: The Law Society of British Columbia recently sent an alert to its members about the Cryptolocker ransomware virus after two B.C. firms were affected, said David Bilinsky, a Practice Management Consultant/lawyer with the LSBC.

Neither of the affected firms has gone public about the attack, which is par for the course. Clients might punish companies who admit ransomware breaches by shifting their business to other firms.

Unfortunately, ransomware attacks are a serious threat to anyone connected to the web. According to the Counter Threat Unit at Dell SecureWorks, a single ransomware program called CryptoWall infected over 600,000 computer systems in just six months; taking five billion files hostage and earning its extortionist creators over $1 million. So now is the time for solo practitioners and small firms to take steps to protect their filed from ransomware.

Think before you click

Ransomware needs the unwitting assistance of a targeted email user to allow it in – either by clicking on a web site link, or by opening attached executable file that downloads the ransomware to the user’s computer, and, by extension, into their law firm’s file system. So the most effective way to prevent ransomware attacks is to be extra-vigilant when opening emails that come with links and/or attachments.

The rule of thumb? “Lawyers and staff should be wary of clicking on links that go to websites that they aren't familiar with,” said Whelan. “They should be trained not to click and to be paranoid about the files they receive. Attachments that they receive should be downloaded and scanned by anti-virus, not double-clicked and opened. This includes attachments that look legit, like digital voice mail.”

“If you have access to an IT person, send them the suspicious email without opening it,” added Bilinsky. “They can then open that email in a quarantined program known as a ‘sandbox.’ This allows IT to see what’s inside the email, without any danger of any attached viruses escaping into the main corporate network.”

Have a disconnected backup

People being people, chances are that someone within the firm will absent-mindedly click on a link or attached file without thinking from time to time. As a result, it is possible for ransomware to make its way into the system, and to cause havoc.

This is where the second step of ransomware prevention kicks in: No matter how small, every law firm should be backing up its files on a daily basis to a separate storage server/site. They should keep this server/site disconnected from their network except for those times when the files are being transferred to update the backup.

“If a law firm has such a backup, and their network gets infected by ransomware, the disconnected files will be safe because the virus won’t be able to get to them,” said Bilinsky.

Whelan agrees: All law firms “should be using regular backups on removable or cloud devices that can't be reached by an exploit that gets loose on their law firm network or PC,” he said.

Specifically, sensitive files that must be kept on the premises should be stored on a law firm’s own disconnectable backup equipment. Less sensitive data can be stored cost-effectively in the cloud, but again under the proviso that the cloud site remains disconnected from the main network except during file transfers.

It is wise to do such transfers when the firm’s email system is minimally in use, such as 3 a.m. local time. This reduces the chance that someone will accidentally introduce a virus into the network when it is connected to the backup. Conversely, email access could be blocked during such file transfers, to eliminate this risk entirely.

For a solo practitioner, a cost-effective yet simple backup solution is to purchase a removable external hard drive. At the end of the day, they just plug the hard drive into the computer, back up the firm’s files, and then disconnect it. If their network is shut down by ransomware the next day, they can reload their files from the external hard drive; losing just a day’s worth of work to the extortionist.

To pay or not to pay?

Imagine that you are just learning about ransomware right now as you read this, with no defences in place, and suddenly your files are locked up by ransomware. (Someone at the desk beside you clicked on a bad link without thinking.) What should you do?

Given that ransomware extortionist typically only demand ransoms in the hundred of dollars, you may want to consider paying this time and learning your lesson.

“The decision to pay depends on the firm and I think it's a business, not a moral, decision,” said Whelan. “If the lawyer needs to file in court and the files are encrypted, the fastest way to be able to fulfill professional obligations may be to pay the ransom.”

Victims should also determine if the ransomware is Cryptolocker, one of the most prevalent viruses, for which there is a free test and decryption program. If it is, you may be able to beat the ransomware bandits at their own game – this time.

James Careless is a freelance journalist.