Adaptive Segmentationmicro-segmentation July 22, 2020

Ransomware Attacks on Law Firms Spike: Endpoint Protection and Zero Trust Security

Katey Wood,

Every crisis is an opportunity – for somebody.

For example, I began my enterprise IT career at the height of the global financial crisis in 2008. Demand was high for financial analysis of legal tech and GRC markets, because they can be counter-cyclical – i.e., when the chips are down in the economy, business is “up” in preventing, investigating, and litigating corporate fraud or malfeasance.

Today’s economic volatility is no different. The legal industry will likely see increased demand for multi-district litigation, M&A second request compliance work, and bankruptcies to administer. A lot of discovery, billable hours and hosting GBs of sensitive client evidence will result. It’s no surprise, then, that law firms are an attractive target for ransomware attacks. In the cat-and-mouse game of security, attackers are once again looking for their cut of global pandemic opportunities in booming industries.

“Follow the money”

Wired recently quoted Microsoft calling the new wave of attackers “Rational Economic Actors” – which means they “follow the money,” whether that is hacking a publicly-traded legal services provider hosting evidence for thousands of legal cases, ransoming evidence of Hollywood clients from an entertainment law firm, or (in pandemic times) also hitting the World Health Organization (WHO), and COVID-19 vaccine test centers.

Hacking law firms isn’t new, as we’ve seen significantly with the fallout for clients of now-defunct law firm Mossack Fonseca in the wake of the 2016 Panama Papers breach. But it’s accelerating – reported 5 Maze ransomware law firm attacks across 3 US states in early 2020.

The heightened threat is not even from a yet-more-technologically-lethal strain of ransomware, but that:

  1. the criminal methods have become more profitable – and more public; and
  2. quarantine conditions are ideal to attack poor cloud security.

How has ransomware grown? After the initial shock and awe from the $10B+ damages of the 2017 WannaCry and NotPetya attacks on large global enterprises, a lot of ransomware in the headlines was relatively small-scale in recent years – identified by local governments required to self-report, or small businesses that couldn’t pay the ransom and were forced to notify clients they were folding.

These were major attacks that forced the victims to walk back their automation to using pencil and paper – but the scale and cost were still comparatively small and often unreported, making the risks seem remote.

Not anymore. Ransomware as a Service (RaaS) like REvil and Maze has streamlined operations of large-scale ransomware enterprises – plus made their methods a lot more extortionate. Just in time for a massive shift to remote work, leaving corporations more exposed than ever.

Duking it out in the headlines

How bad is it? In May, the threat group behind REvil ransomware (also known as Sodinokobi) published an alleged sample of 756GB of client data exfiltrated from the New York City law firm Grubman Shire Meiselas & Sacks, asking an initial ransom of $21M before doubling it to $42M.

But the double threat of modern ransomware is not just data loss through encryption, but additional blackmail of victims through posting personal data online – and the public media battle that goes along with it. In the wake of the Grubman hack, Donald Trump, Lady Gaga, Madonna, LeBron James, Jennifer Lopez and David Letterman found themselves not only the clients of their law firm, but the clients of ransomware gangs offering to prevent the exposure of their confidential contracts, phone numbers, email addresses, personal correspondences, non-disclosure agreements, and more – for a fee.

Is it any surprise clients are increasingly requesting audits of their law firm security?

And it doesn’t end at law firms, healthcare, or other essential verticals – increasingly attacks are not just targeting boom industries but also specific organizations.

How can attackers pick the best organizations to hack? The New York Times reported last month that Russian organizations are using Virtual Private Networks (VPN) to identify corporate networks (for an attractive target), wait for the employee to go to a public website to infect the computer, then reconnect to the corporate network and propagate – sometimes setting ransom in the millions.

WFH pushes the perimeter to the edge

Why does this keep happening? The reality is that perimeter security will not adequately protect your remote workforce or your business from ransomware. Breaches still occur because bad links keep getting clicked and attackers keep making money.

The fact that attacks are successful also means that existing endpoint security solutions aren’t entirely effective. For a zero day exploit, for example, Endpoint Detection and Response (EDR) tools rely on mean-time-to-detection (MTTD) to identify the threat – leaving minutes to potentially hours (or overnight) for the new strain to infect hundreds or thousands of endpoints before it is resolved. What can happen in that time? For reference: one victim in the NotPetya attack lost 15,000 endpoints in 90 seconds. But more contemporary “living off the land” attacks can have dwell time in the months before the ransomware hits. We estimate from our recent end user survey that about one incident per quarter slips through entirely.

Infections at this scale occur because there is not adequate endpoint security to prevent lateral movement between systems on the network:

  • Without policy to block vulnerable ports and fence off your endpoints from each other to prevent malware propagating, ransomware is able to use the privileges of the user or application that launches it to freely traverse the network and cause mayhem.
  • With Zero Trust security, access privileges are fit-to-purpose, and malware is automatically contained to the first endpoint, ensuring the first infected laptop is the last.

This is why the real opportunity during this time is security!

Zero Trust security and least privilege

We’ve already gone in-depth on how Zero Trust security can protect your internal networks through allowlist, default-deny policy, increasing “trust” in your systems by limiting who can access what for legitimate business purposes.

Does that sound familiar? Coincidentally, attorneys have a similar concept of privilege – they strictly adhere to the legal confidentiality of client privilege in dealing with client data and legal evidence. Maintaining this is paramount in and out of court to ensure client trust and confidence.

Practitioners today observe Zero Trust security, with the “principle of least privilege” that any data should have the minimum user access necessary – whether inside or outside the organization. This “allowlist” approach effectively maintains the confidentiality of data and prevents the spread of breaches from low-value systems to high-value systems – or, in the case of law firms, from an external contractor to internal systems, and from one client’s data to another.

Illumio Edge: Zero Trust for the Endpoint

Does it sound too good to be true? It doesn’t have to be. Illumio launched our endpoint security product, Illumio Edge, to extend our Zero Trust leadership from our best-of-breed data center segmentation to the endpoint. By once again decoupling “network” segmentation from the network, Illumio can offer protection at the edge that moves with your workforce and secures them wherever they go.

  • Illumio Edge offers a simple, invisible, no-touch solution for Zero Trust security on the endpoint that’s easy to deploy and doesn’t create a blizzard of IT tickets from blocked connections.
  • Illumio Edge complements capabilities of existing EDR and NAC investments with default containment of malware, easily blocking common pathways to attacks between endpoints, and providing superior visibility - for straight-forward policy creation and enforcement with no surprises for users!

Find out more about how Illumio Edge helped a global law firm secure its endpoints and protect client data – read their story here.

For more information on how Illumio Edge works:

Adaptive Segmentationmicro-segmentation
Share this post: