Last Fall, the Federal Bureau of Investigation issued a “High Impact” warning regarding increased ransomware attacks on U.S. businesses and organizations. This is notable because, the last time the FBI addressed ransomware was in 2016. Ransomware is software used by cybercriminals to encrypt a victim’s electronic files, preventing access to the victim. The criminals then demand a ransom in exchange for providing access.
The FBI advised that while overall ransomware campaigns had declined sharply, losses from ransomware attacks are on the rise, as they become more targeted, sophisticated and costly. Some estimates put 2019 ransomware liability in excess of $7.5 billion. Since then, Ransomware attacks have only grown more common and more sophisticated. Hackers recently struck an accounting firm, a grocery chain, and a college. Hackers even forced the city of Riviera Beach, Florida to pay the equivalent of $60,000 in bitcoins to rescue the city’s encrypted data.
Law firms in particular have become targets of hackers seeking to profit from ransomware attacks. Certainly, the DLA Piper attack is the most notable. In 2017, DLA Piper was attacked by NotPetya, Russian-malware, causing the multinational firm to go off-line for days, wipe their servers and rebuild from scratch including 15,000 hours in extra overtime for IT staff. One law firm in Providence, Rhode Island paid $43,000 to a hacker group after its data was locked down for three months. The firm sued its insurance company when it refused to cover the claim. More recently, Seyfarth Shaw was attacked by ransomware in October 2020. However, law firms with 500+ attorneys appear to account for only around 20% of cyber attacks, the majority of which instead target smaller firms of 1-19 lawyers at a rate of over 52%. This is seemingly because smaller law firms are less likely to have sophisticated and robust cyber security systems in place. Law firms and court systems can also be indirectly affected by ransomware as their managed service providers (MSP) are often attacked, such as TrialWorks in October 2019 and Epiq Global in March 2020.
Ransomware hackers infiltrate law firms through targeted emails containing malware attachments, crafted to appeal to attorneys and their employees. This method is called “spearphishing.” Once an employee of a firm clicks on the email, the malware downloads the ransomware, encrypting the victim firm’s files and sensitive material. Other methods include scam websites fashioned to resemble cryptocurrency sites, government agencies or even well-known security vendors.
Typically, a hacker wielding ransomware will lock a firm’s computer system, then demand a ransom to release the lock and allow the firm to resume operations. Recent attacks, like those by Maze, an ransomware group which has been targeting firms, use the threat of publication as an alternative means of extortion from law firms. The name of the target is listed on the Maze website. If no payment is forthcoming, the hackers publish a snippet of the data, to show they mean business.
Ransomware attacks can expose attorneys to third party liability. For example, a recent lawsuit filed in the D.C. Circuit alleges that a hacking incident involving a law firm exposed personal information of its former client, a Chinese citizen, to a hacker that had infiltrated the law firm’s servers. Ransomware hackers blackmail firms hoping they will pay the ransom to avoid such a scenario.
One hacker group, Maze, has chosen to focus on the legal industry, hacking firms in Texas and Oregon in the last year. Maze, active since May 2019, is particularly dangerous because it threatens to leak confidential data if the ransom is not paid. In January of this year, Maze attacked three small law firms in South Dakota in one 24-hour period. Maze published the names of the law firms on web sites it uses to announce its targets, threatening to reveal their data unless they agreed to pay a steep fee. More recently, Maze exposed the data of Baker Wotring LLP, a Texas law firm, including fee agreements and diaries from personal injury cases.
What to do in the event of a ransomware attack? Immediate steps are to isolate the infected system if possible, turn off all other computers and devices, and secure your backups, then alert your security provider. Even more importantly, notify your cyber insurer who may be able to assist with any cyber incident response to mitigate potential damages.
The FBI warns against paying ransoms, as it “emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.” Moreover, there is no guarantee that the hacker will unlock the data following payment. Rather, the FBI requests that victims report bitcoin wallets used by the hackers and provide the complete phishing emails received in the scam. However, some companies may make the business decision to pay the ransom which can be seen as cheaper than purchasing new servers, reconstructing lost data, and the cost of business interruption. Some cyber insurers will assist with ransom payment.
However, as an added twist, on October 1, 2020, both the Financial Crimes Enforcement Network (FinCEN)  and the Office of Foreign Assets Control (OFAC), posted advisories on ransomware indicating that there may be some criminal implications to banks for paying a ransom. FinCEN and OFAC are bureaus of the U.S. Department of the Treasury. Specifically, the OFAC warns that payments to certain cyber criminals may be payments to known threats to national security or to countries in which the U.S. has embargos. OFAC warns:
Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA),9 U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria). Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited. U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations. OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.
Given that paying a cyber ransom is fraught with complications, prevention is the best medicine. The FBI recommends the following to prevent ransomware attacks and mitigate damages in the event of one:
- Regularly back up data on a format that is not connected to the network which is being backed up. If you do this, a ransomware attack will not cause a significant loss of data.
- Train employees. Employees should be trained not to open suspicious emails and other cyber security safety measure they can take.
- Use up to date antivirus software, firewalls, and email filters.
- Employ the principle of “Least Privilege” which states that a user should be given only those privileges needed for it to complete its task.
- Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
- Employ best practices for use of Remote Desktop Protocol (“RDP”), including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
- Implement application whitelisting, only allow systems to execute programs known and permitted by security policy.
- Use virtualized environments to execute operating system environments or specific programs.
- Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.
* This article was prepared by Rachel Aghassi and Christopher D. Skoczen of the New York City-based law firm of Furman Kornfeld & Brennan LLP. For more information about the above topic or the authors, please visit: www.fkblaw.com
We trust that the above article was useful and thought-provoking; however, please note that it is intended as a general guide and opinion only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
This material is for informational purposes only. It is not intended to be exhaustive nor should any discussions or opinions be constructed as legal advice. The insurance policy language will determine the actual coverage afforded to an insured. Contact USI Affinity for any insurance questions you may have regarding your particular situation. USI Affinity is not responsible for the content of the information provided or for the consequences of any legal actions taken on the basis of the information provided.
 Alert No. I-100219-PSA. https://www.ic3.gov/Media/Y2019/PSA191002.
 Emisoft, blog.emisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019.
 Mezzei, Patricia. Hit by Ransomware Attack, Florida City Agrees to Pay Hackers $600,000. The New York Times. https://www.nytimes.com/2019/06/19/us/florida-riviera-beach-hacking-ransom.html.
 Goud, Naveen. Hackers Lock Law Firm Files for Three Months with Ransomware. Cybersecurity Insiders.
 Cassens Weiss, Debra. Seyfarth Shaw is in “Restoration Phase” after Malware Attack. The ABA Journal. https://www.abajournal.com/news/article/seyfarth-shaw-is-in-restoration-phas-after-malware-attack.
Schreider, Tari. Ransomware Attacks in the Legal Profession. Law.com. https://www.law.com/corpcounsel/2020/05/26/ransomware-attacks-in-the-legal-profession.
 See Guo Wengui v. Clark Hill, PLC, et al., 2020 WL 837166 (D.C.C. Feb. 20, 2020).
 Smith, Patrick. Maze Hackers Publish Texas Law Firm’s Confidential Data. Law.com. https://www.law.com/2020/02/11/maze-hackers-delist-texas-law-firm-as-ransom-pressures-mount.
 FIN-2020-A006. https://www.fincen.gov/sites/default/files/advisory/
 October 1, 2020 Department of the Treasury Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf.