A law firm ransomware attack has resulted in business files being left encrypted and inaccessible for three months, causing considerable billing losses for the firm.
Why did the law firm not simply pay the ransom demand to regain access to their files? Well, they did. Unfortunately, the attackers took the money and did not supply viable keys to unlock the encrypted files. Instead, they had a much better idea. To issue another ransom demand to try to extort even more money from the law firm.
The law firm, Providence, RI- based Moses Afonso Ryan Ltd, was forced to negotiate with the attackers to gain access to its data. It took more than three months and ransomware payments of $25,000 to finally regain access to its files. However, the ransomware payment represented only a tiny proportion of the cost of the attack. During the three months that data were locked, the firm’s lawyers struggled to work.
Moses Afonso Ryan made a claim against its insurance policy for lost billings as a result of the attack; however, the insurer, Sentinel Insurance Co., has refused to pay the bill. The law firm claims to have lost $700,000 as a result of the attack in lost billings alone. The firm has recently filed a U.S. District Court lawsuit against its insurer claiming breach of contract and bad faith for denying the claim.
The law firm ransomware attack involved a single phishing email being opened by one of the firms’ lawyers. That email has so far cost the firm more than $725,000 and the losses will continue to rise.
Important lessons can be learned from this law firm ransomware attack. First, the importance of training all staff members on the risk of ransomware attacks and teaching security best practices to reduce the risk of attacks being successful.
Since phishing emails are now highly sophisticated and difficult to identify, technical solutions should be implemented to prevent emails from reaching employees’ inboxes. Endpoint protection systems can reduce the risk of ransomware being installed and can detect infections rapidly, limiting the damage caused.
All businesses should take care to segment their networks to ensure that a ransomware infection on a single computer does not result in an entire network being impacted.
It is also essential for backups to be performed regularly and for those backups to be tested to ensure data can be recovered. This law firm cyberattack clearly demonstrated that organizations cannot rely on attackers making good on their promise to unlock data if the ransom is paid.
There have been cases where the attackers have not been able to supply a functional key to unlock data, and numerous examples of attackers issuing further ransom demands in an attempt to extort even more money out of companies.