Last weekend’s global ransomware attack hit the NHS in the UK, Spain’s communications giant, Teléfonica, and computers and networks from the Far East to Portugal.
I published an article on the same subject in January of this year: How do you protect your law firm from ransomware threats? However, in the light of the media storm surrounding recent events, it’s worth revisiting the subject in detail.
The ransomware uses a vulnerability which first came to light from documents leaked from the US National Security Agency (NSA). Once, inside a network, it spreads like wildfire.
This particular piece of ransomware, known as Wanna Decrypt0r, is the latest incarnation of the WannaCry malware.
Ransomware is a form of malware that blocks access to your computer or other device. It encrypts your files rendering them inaccessible and demands payment to unlock them.
Once infected, the ransomware usually contacts a central server for activation. It then starts to encrypt your files with information from that central server. Once completed, you will see a message asking for payment to decrypt the files. Invariably, the ransom is demanded in the cryptocurrency currency, Bitcoin. This usually comes with the threat of total loss of your files, often accompanied by a timer to increase the fear factor.
Normally, ransomware spreads by hiding within email attachments. These can be Word documents or PDF files. It can also spread as a secondary infection, moving from one PC to another across a network.
The adjacent image is a fairly typical illustration of what you will see on your screen when the infection has taken hold. WannaCry usually demands $300 worth of Bitcoin to unlock your computers.
Paying the ransom is no reason to believe you will recover your data. In past years making the payment usually meant complete data recovery. However, there is absolutely no guarantee that this will happen. Take it as read that if you make a payment, you are simply funding crime.
Knowledge of the virus goes back as far as February of this year. Shortly afterwards, Microsoft released a patch for Windows which prevented it from spreading. Unfortunately, for reasons of laxity or lack of resources, many did not apply the patch to older versions of Windows. This is the main reason the NHS appears to have been one of the worst hit.
Once infection strikes there is precious little you can do that will work immediately. However, there are a several courses of action that you can take:
If you hold your data and programs on your own server and have a backup medium, you should be OK. You’ll need to completely clean your server and PCs and restore from the backup. The amount of data loss you incur will be down to how recently you made the last backup.
You should make backups on a daily basis and store them either off site, or in a fire-proof location or use a cloud backup service.
Ransomware often relies on the victim running outdated software with known vulnerabilities. To combat this, the best approach is to create protocols for ensuring updates are performed when necessary. Keeping common third-party software such as Java and Flash up-to-date will eliminate a large number of threats.
There really is no excuse for being lax in this matter. Making use of a good quality antivirus solution throughout your entire system is a must. Ensure all laptops and portable devices that interact with your network have the same levels of protection as the network itself.
In addition to this, you can add a further level of security by providing each member of your team with only the level of privileges that they require to do their jobs. Granting everyone administrator privileges can allow an attacker administrator access in the event of your system being compromised.
Occasionally your staff may unwarily visit compromised websites or open emails that contain malvertising. These are the usual sources from which the infiltration and malicious downloads will come. By blocking access to malicious websites, emails and attachments you can protect your network and avoid problems.
In addition, make sure all your staff are aware of the hazards of using portable drives and memory sticks. Essentially, if you don’t know the origin of the device, you don’t know what it might contain.
Unfortunately, your staff are the weakest link in the security chain. If they allow themselves to fall victim to a phishing scam or other email generated approach, they can compromise the security of your entire business.
Teach your fee earners and staff to recognise potential threats and to treat unrecognised or unsolicited mails with extreme caution. The simplest way to do this is to train them to ask these key questions about emails:
Intelligence about the latest threats provides you and your IT staff with advance warning about cyber crime activity in your area and industry.
You can keep up to speed with the latest reports from cyber intelligence organisations such as Talos. Talos publicly shares information about emerging threats and provides forums and instructional videos to help you keep ahead of the game.
It sounds straightforward enough. If you are thinking about using a cloud-based PMS, you need to ask the supplier a range of questions. Security procedures and backup frequency should be at the top of your list. A reputable supplier should be able to provide reassuringly detailed answers. All cloud software should be kept up-to-date and security patches applied on time. Prevention is better than cure.
LawWare Managing Director, Warren Wander, gives the following advice:
This latest malware threat appears to take advantage of the SMB (Server Message Block) protocol which is utilised heavily within the Microsoft operating system with an exploit to gain remote system access. The malware isn’t currently known to be distributed via email, however this is a very likely candidate for further exposure and spread of the malware which is distributed by email and which is a very common first route in. With this in mind, please apply extreme caution when opening any email attachments.
The application requires the older version 1 of the SMB protocol for the exploit to work however this is still present in all windows versions. Microsoft released a patch for Windows 2008r2 and above (Windows 2012,2012r2 and 2016) in March which was applied to all LawCloud servers, which we update as soon as approved patches are released. We do not use Windows 2008 or windows 2003/2003r2 operating systems which are vulnerable to this attack. Microsoft has released a special security patch for older versions of Windows and if you are using these and haven’t yet applied them, you must apply these straight away under advice of your local IT support.
- All data is securely backed up.
- We use ESET antivirus on Servers and Microsoft Security for Mailboxes which is always kept up to date.
- Windows updates are applied as soon as they have been approved so all servers are up to date.
- We implement a secure lockdown policy, that is in place on all systems.
- We review our security, lockdown, backup procedures and resilience regularly.
This is one of many ransomwares out there. Please be vigilant with emails that you open, especially opening attachments. Please use your best judgement and if something looks suspicious and Don’t Click On links or downloads or open any attachments that you are uncertain about.
Whilst we offer the best protection we can on LawCloud, the onus is on you and your own IT people to ensure that your local systems are protected, including your PC’s, mobile devices and in house servers. You should make sure that all systems are up to date with the latest security updates and patches and that you aren’t running any out of date operating systems that may have vulnerabilities.
Furthermore, Partners, Managers, Directors should enforce protection policies, ensuring that work email addresses are for work only, and that web browsing (specifically functionality in LawCloud) is NOT for personal browsing and should be limited to essential business sites only.
If you would like any further information, please do not hesitate to contact me directly.
© LawWare Limited 1995-2021
Our clients range from small start-up legal practices to multi-partner, multi-site firms.
Another great customer service experience from LawWare. My laptop had to be stripped back to factory settings as part of a repair - taking hours! In contrast, restoring LawWare took one phone call to the support team and I was up and running in 6 minutes. If only everything was so easy!
As the first commercial user of LawWare back in 1998, we have had no hesitation in remaining with the product through its development. We thoroughly recommend it to any firm looking for a practice management system.
The helpdesk is exceptionally good. Whatever the query there is always a human being there to help. No leaving messages or being advised to go to a website. The best computer service for solicitors I have ever used!
The linking of documents and casefiles saves so much time! I have experience of several accounts packages and I like that LawWare is simple to use and easy to learn. Support is quick and effective and staff are helpful and courteous.
I have worked with a number of Case Management providers over the years but have not come across anything with the attention to detail and thoroughness of LawWare. My colleagues and I have not been disappointed.
I can’t imagine trying to be a law firm in the 21st Century without 21st Century IT systems. Having a ‘single system’ that underpins all the work, whether we are in the office or out, is an integral part of what we are building.
The level of support is the main benefit using this system. The system itself once you have had training is simple and easy to use. We have a great relationship with LawWare and the ongoing support is second to none.
Significant preparation was required to configure and import the data from our old firm. We had to get all clients onto the new system and then learn how to use it. We just find it very easy to use, much easier than our old system.
Being a busy litigator with a growing firm it is incredibly useful to be able to view my files from any location with some form of internet connection. I am a fan, and want to keep working with LawWare to make a good product great.
The switch to the new LawCloud system, which is still on-going, has gone very well. We found the LawWare team without exception to be very helpful and knowledgeable. All queries are followed up and dealt with promptly.