Avoid (and Recover From) A Ransomware Attack
No matter how good your law firm’s cyber security systems are – firewalls, passwords, anti-virus, and backup systems- the weakest link remains the human being sitting in front of the computer who clicks on the wrong link or opens up an infected file.
The typical ransomware attack is the result of phishing, where an email containing an infected link is sent to a lawyer or staff. The link is clicked on, and ransomware is installed on the computer. The ransomware then starts to work in the background while the computer is on, encrypting documents and making them inaccessible. When trying to access the document, instead of opening the document, a demand to pay a ransom in bitcoin (the demand used to be a few hundred dollars; now, it’s in the several thousand) pops up on the screen, promising to decrypt the files upon payment.
Recently an Ontario law firm was infected by ransomware, finding most of the documents on the server were encrypted. Fortunately the law firm had staggered backups: one backup every night for the last seven days. The most recent backup was useless, as it was a backup of an infected server. Looking back a few days, the firm found a version of the backup that was ransomware-free. Instead of paying the ransom, the firm cleaned out all the servers and restored everything from the good backup. This took several days, shutting down the office for the better part of a week. Losses included having to recreate the lost data in the meantime.
In this instance, further investigation revealed that the source of the ransomware came from a computer in a spare office for visitors. Such computers should be severely restricted with strong passwords and separate accounts, and shut down at the end of every day.
Our cybercrime coverage is limited to $250,000 and only applies in certain circumstances, as explained in this article. Consider other types of coverage if needed. In addition, when putting together a backup policy, ensure your backup is staggered, as a recent backup of an infected server is useless. You want to have a backup that goes back far enough, to a time when the server was not infected.
Protect you and your law firm from cybercrime with these tips from the Cybercrime and Law Firms LAWPRO magazine. Make use of technology policies and employee departures policies. And importantly, ensure you and your staff are trained to avoid clicking on infected links and documents.