Ransomware is a massive problem. A $20 billion problem in 2021, to be exact. Any business and organization can be a target—including and especially law firms. That’s because, like banks and hospitals, law firms possess a significant amount of sensitive data entrusted to them by clients. That can prove irresistible to ransomware hackers, who are increasingly organizing sophisticated operations that run like a business, except their focus is cybercrime. 

There is also much at stake for any business that falls victim to a ransomware attack. In addition to having sensitive information fall into the hands of organized criminals, those bad actors can demand as much as $700,000 per server to release data. The average total ransomware amount paid is now around $1.2 million per incident. There is also the uncertainty as to whether cyber criminals can be trusted to decrypt the data when a ransom is paid and not sell it on the so-called dark web to other nefarious individuals. 

Thankfully, there are ways lawyers and law firms can protect themselves to both prevent a ransomware attack and even stop one that’s in progress before a situation becomes dire. In addition, it is not always necessary to pay a ransom—but that will depend on how quickly a breach attempt is spotted and stopped. 

How Ransomware Works

Ransomware attacks happen when a bad actor tricks someone in an organization to click on a link or download a file that installs a virus on their computer. This activity is called “phishing” and can involve hundreds of attempts against any computer user on a given network. Once downloaded, that malware will start to encrypt all the files on that individual’s computer—and then move on to any system connected to that computer. The malware does not stop with one computer or device: anything on the same network will soon be vulnerable. 

These attacks are organized and directed. Sometimes there are hundreds of people working together to penetrate a particular business. They also do their research and will tailor ransom demands to the size and revenues of the designated target. 

Once a network is infected and as many files as possible are encrypted, users will receive a ransom demand asking for payment of a certain amount of money—usually in Bitcoin or another untraceable cryptocurrency—to have the attackers decrypt the files. Previously, paying the ransom would unlock the data. More recently, however, ransomware criminals have taken ransom payments and unlocked files but then also keep the data and offer it for sale on the dark web. Yet another reason why preventing a ransomware attack in the first place is so important. 

Early Signs of a Ransomware Attack

A ransomware attack does not happen without visible signals that, if noticed, can prevent substantial damage from happening. These are the most common warning signs:

• An increase in phishing attempts. If a firm’s lawyers and staff start noticing a significant uptick in spam emails, that could be a sign bad actors are looking for ways to plant malware. Since it only takes one person clicking on a bad link or mistakenly downloading a virus-laden file to potentially infect an entire network, any increase in phishing attempts should immediately set off alarm bells. 
  
  
• Unauthorized access alerts. A firm’s network administrator may see an increase in unauthorized access attempt notifications. Individuals could also receive emails letting them know someone has tried to reset their passwords. This activity could indicate a ransomware attack is underway.
  
  
• Virus protection alerts. If an outside bad actor is trying to place malware on someone’s computer, any installed virus protection software may raise an alert and block the program from running. Having up-to-date antivirus software is an excellent idea as it can serve as the first line of defense. 
  
  
• Scrambled file names or contents. When malware encrypts the data on a computer, it will often scramble the names of files or make the files inaccessible. If a user is looking at their drive and notices their usual file names have been replaced with unrecognizable gibberish, that could be the early start of a ransomware hack. 
  
  
• Computers locking up. Malware can interfere with a computer’s operating software, and that will cause performance issues, including system freezes. If these start to happen out of nowhere, ransomware could be the culprit. 
  
  

Preventing a Ransomware Attack

Prevention is the best way to avoid problems with ransomware attacks. It begins with training everyone who accesses a computer at the firm—both lawyers and staff—to recognize the above signs. Then, procedures should be put in place to inform employees of the actions to take if something is discovered (i.e., alert a supervisor or the IT department).

Since the level of technical knowledge within firms can vary quite a bit (even in 2021), there are ways to help identify where problems might exist. Some tools are available, for example, that will send fake phishing emails within an organization to test for vulnerabilities. Essentially, this simulates a ransomware attack and can give valuable information to tailor education around the common pitfalls. 

Firms should also establish routine procedures for regularly backing up data, preferably to the cloud or to an offsite location. That way, if there is an attack, a clean backup is available to reinstall once any trace of malware is removed from the onsite systems. Cloud backup services also regularly scan data for malware and other viruses, which acts as a stopgap to any measures a firm has in place. 

These precautions and prevention measures apply to firms of any size. In fact, solo firms might be even more vulnerable as most do not have full-time IT staff. 

No, You Don’t Have to Pay: How to Stop a Ransomware Attack

Having robust preventative measures in place means it’s far more likely a law firm can stop a ransomware attack before it gets rolling and corrupts an entire network. The steps to follow in an ideal situation where only one computer is infected include:

• Disconnect. Immediately. Even the slightest indication that a ransomware attack has happened or is happening should lead a user to completely disconnect their computer from the law firm’s network(s). That includes both physical connections (i.e., LAN cable) and Wi-Fi. The computer should be completely air-gapped, meaning no data is going between it and the rest of the firm’s computers.
   
• Clean the affected computer(s). Once an infected computer—or computers if the malware has spread—is disconnected, you can start searching for the malware to remove it. Locating it can be tricky, and third-party service providers will do it for you to ensure it’s completely gone. Additionally, if costs are being monitored, there is also software that can assist. 
  
  
• Restore from backup. Only after a system is completely clean should data be restored from a cloud backup. 

These steps can be applied to most ransomware attacks, even if malware has spread throughout a network. It will just take longer and perhaps cost more to ensure every trace is gone. Again, having a recent backup on a cloud server is key to recovering. 

Doing this will also increase the likelihood that the firm will not have to pay to have its data released, and it might not even lose anything important if the cloud backup is recent enough. 

Don’t Panic! You Can Fight Ransomware

The vital thing to know about ransomware attacks is that all firms are vulnerable and, more than likely, will experience a ransomware attack at some point. How severe, disruptive, and expensive it is will depend on whether staff and attorneys are trained to spot early signs and the procedures put in place to deal with phishing attempts. Even if malware spreads, a firm shouldn’t panic and immediately give into ransom demands. A methodical approach that involves isolating affected computers, and servers, rooting out the malware, and then restoring from a clean cloud backup can usually deal with the situation.