8 Ways Law Firms Can Protect Against Ransomware
We’ve all heard the same stories: It’s a weekday evening, an accounts manager of a warehouse depo and small outlet shop couldn’t access the account’s server. Later, she discovered the CCTV Server, payroll machine and backups were encrypted. The system had been taken over by ransomware. It’s an all too common scenario and one that was very real for a client of ours. But, there were a number of measures this company could have taken, and ones that many other companies could learn from, to protect themselves against cyber attacks.
In the case of the warehouse depo, when the attack happened, most of the outsourced IT support was on leave. However, the staff on duty did identify that the threat was the ‘Mr Dec’ variant of ransomware. The bad actor entered the domain controller system, hijacked credentials from the Windows Active directory, deleted backups, scanned the network for more machines to infect, hopping from machine to machine as to copy and execute the ransomware.
To mediate the situation, the firm’s IT support was able to block outside RDP connections which enabled the threat to spread. (RDP is Microsoft Window’s inbuilt function which allows remote control of a machine if left with unsuitable passwords. It can be used to gain control of a system and spread an attack.) The connection to the attack control server was blocked stopping further encryption of files on the network.
What they could have done differently
Let’s take a look at the policy and the state of security of the firm which allowed the bad actor’s plans to be executed successfully. This company, in particular, had business interruption and cyber cover that stipulated several conditions must be met before a successful reimbursement can be provided. All of these are very common amongst cyber coverage and ones that attorneys, business owners, and others, should be aware of.
Eight Common Requirements by Insurers
Let’s look at the 8 most common conditions and understand why they are important:
Item default passwords must be changed and kept secure. The enterprise policy must obligate users to change passwords every 60 days.
Changing the password denies attackers remote access they may already have access to through public breaches, public WIFI sniffing, keylogging software or hardware. If an employee of your firm has been the victim of a breach of one of their personal accounts, an updated password halts bad actors continuously accessing corporate accounts using the same password. Sites are available to assist users who want to check if an email account has been breached. Even though a breach may have occurred in the past, and the password has been changed, forwarding rules for users must be checked as well in order to ensure that the locked-out bad actor is still not able to receive incoming emails, as they may be forwarding those to one of their nefarious fraudulent webmail accounts. Attackers often wait for invoices or other nuggets in order to change account details to their benefit.
That primary RDP password I spoke of earlier, was compromised, which allowed the attacker access to the system. This, and the lack of real-time scanning on the Anti-Virus, allowed the attacker to utilise a tool called mimikatz.exe to harvest credentials from the active directory and produce further attacks.
Data must be stored and disposed of securely.
Wiping of old storage mediums or encryption of employee smartphones and laptops must be done, in case they were lost or fell into the wrong hands. In this case, that did not happen. The central server and records room was not locked and able to be accessed by all users presenting a local security potential issue from visitors or rogue employees. This also goes for company information discarded in recycling bins that can be reviewed. Everything must be shredded. Paper documents can disclose personally identifiable information, login and bank details as well as passwords thus posing a security risk.
Employees must initiate social engineering training every 12 months.
Social Engineering is the act of trying to gain public information from the internet via phishing. Telephone, email and other routes to facilitate fraudulent actions or cyber-attacks. Regular compulsory training reduces the probability of attacks occurring. No matter how resilient the server is if employees hand over the password and other user data then attack vectors such as RDP or TeamViewer may be used to enter a system. Once a user has access to an account, a remote access vector or email account, the bad actor can use the legitimate account to run further reconnaissance or further attacks. Entry can be sold on forums of the web called the ‘dark web’ for a high price.
The accounts department must be instructed in writing on formal payment procedures.
If key accounts, employees or senior staff are identified from an attacker, then a bad actor can use the account or email template layout to send spoofed or legitimate emails from a comprised account. These emails can direct payments to a throwaway account owned by the attacker for illegitimate reasons. Payment requests should be checked when the account changes or when large sums are requested. The same should be checked if there are anomalies in the email message. Calling the account holder to confirm the payment request may stop most of these attacks, though care must be taken to use a known number.
Protection against unauthorised access to firewall (ensure once a month or automatic updates).
A hardware firewall was present in this case but allowed remote connections from outside source and communication to dubious IP address destinations. Firewalls should be configured as not just to allow ‘all any’ incoming connections. Default admin passwords should be changed before implementation.
Install suitable software protection against Virus or Similar Mechanism (ensure once a month or automatic updates).
Free anti-virus was used as protection in this case. The database was updated but the program, the engine running the anti-virus, was out of date. It did not have real-time scanning, which means if a threat is introduced, it would be useless on the execution of the threat. In addition to this, it could be switched off by the logged on user. Many better protection options allow only the administrator to do this or require a password for this operation.
The insured must maintain adequate backup copies no less frequently than every seven days.
The integrity of any data backup must be validated using operating system routines or checks. Backups must be stored securely and separately from the original data or programs. The two backup disks were plugged into an infected machine and encrypted. The backups were swapped over every evening but were not checked. Backups also existed on the same server, and these were networked allowing the malware to encrypt these, too.
Ideally, backups should be made non-networked and taken offsite; there should also be backups to the cloud. As important as it is to take backups, making sure they are regular, they can be restored swiftly, they are safe from corruption, encryption and deletion is necessary, whether that be on the cloud or a physical hard drive in a safe, stored offsite.
Firmware, operating systems, software, and programs must be updated within 14 days of an update being released.
Firmware needs upgrading periodically as exploits can exist in the code allowing an attacker to gain control or destroy the normal operation of a system. Upgrading the firmware is a risky process that involves the use of software to ‘flash’ an internal ROM chip upgrading the security and often performance and features. Firmware is used in most hardware devices from joypads to firewalls. This fundamental task is often overlooked, and policy is broken in this respect.
As for Operating systems such as Windows, Ubuntu or Mac OS, they are secure as long as they are ‘supported.’ For example, On January 14, 2020, Microsoft will be officially ending its support for Windows Server 2008 R2 editions. I expect to see still many enterprise level systems still running 2008R2. You only need one legacy server to allow remote code to run and an attacker can gain access to the rest of the networks systems. It is best not to leave the user the choice of updating as they seldom do. Anti-virus, Anti-Malware, and OS updates should be scheduled every few days, and users should be asked to reboot the system to complete the update as necessary.
The Aftermath for This Client
It was estimated that the cost to rebuild the database in workforce hours would have been as much as £100,000. The event cost the firm at least £20,000 in lost time, but this could have been more if the encryption hadn’t been stopped and the main database files hadn’t been decrypted.
The key steps for a cyber-investigator are to stop the encryption continuing by pulling the plug or stopping the communication to the attack server. Preservation is important to capture what is already there by forensically imaging the items. Backups must be identified, dated, and an attempt to restore if possible. The goal is to get the business up and running at a base level, identifying the malware and writing a report for the claim and so the insured can learn from the attack and get proper security in place.
Not enough steps were taken to bring the IT security in line with the insurance policy. Insurers and the insured should take measures to enforce the policy, make certain it’s adhered to, and limit the ability for future claims. Care must be taken in terms of the policy wording as not to allow security gaps. For example, a policy may stipulate if an Anti-Virus is present but not if it is active or updated.
In terms of protection, deactivation of the remote control function of servers, not allowing connections from outside sources, having a decent Anti-Virus that actively scans executed code, making sure to do automatic updates, secure passwords, and initiate staff training, all would have reduced the probability or stopped this event from occurring. Backups uploaded to the cloud and off the network need to be checked for their integrity and regularly made as to speed up recovery in the event of an incident; there is nothing more inadequate than a faulty, aged or encrypted backup.
Additionally, a recovery response plan lessens the extent plus time it takes to bounce back from a ransomware or even corruption event. Taking a couple of days to run through and update the plan each year highlights any gaps in the response better than just downloading a template of a plan and hoping for the best when an incident occurs. The plan must be tailored to the size of your organisation, the type of software used and the type of data being stored.
About the Author
Alistair Ewing has over eight years of experience in Digital Forensic Analysis, Data Recovery, Mobile Phone Forensics, Litigation Support, and has served as an Expert Witness in criminal and civil cases in the UK. Mr Ewing began performing digital forensics in 2011 and has had hundreds of hours of experience in this sector. Qualified as an expert witness for some years and vetted by Sweet and Maxwell he has presented evidence in tribunals, civil and criminal courts in the UK and been involved in corporate investigations, litigation support and collections.
More information about Alistair Ewing can be found the Envista Forensics website.