This weekend saw one of the most ambitious, and successful, cyberattacks in history: Hundreds of thousands of infected computers were held hostage by WannaCry, a ransomware program that spread across the globe, bringing in an estimated billion dollars and change in extorted payments in just a few days. The malware, which targeted everything from hospitals in England to ATMs in India, exploited a weakness in Microsoft Windows, allowing the program to encrypt files and hold them hostage. If years of law firm hacks haven’t convinced you to take cybersecurity seriously, the WannaCry attack should.
But, when it comes to protecting yourself and your data from electronic hostage-takers, software flaws are just one concern. There are a whole universe of vulnerabilities hackers can exploit to get into your data — including your ego.
Hackers Are Coming for Your Law Firm
The WannaCry attack was unprecedented in its breadth, spanning 150 countries and every corner of the globe. When the ransomware program was activated last Friday, the message “Oops, your files have been encrypted!” flashed across an estimated 200,000 screens. The program then demanded $300 in Bitcoin in order to unlock each infected computer.
How did so many computers end up succumbing to WannaCry? Though the program was a relatively sophisticated ransomware attack, it spread through one of the oldest hacker strategies around: the phishing email. Cybercriminals, potentially working from North Korea, sent their victims emails with encrypted .zip file attachments. If recipients clicked on the attachment, the malware would be installed on their computers where it could sit until being activated.
But WannaCry wasn’t content with the solitary life. Exploiting a weakness in Windows, one first identified by the NSA and then leaked online, the malware spread its code through a computer’s file sharing structure, such as shared drives and drop boxes. One misguided email recipient, then, could put a whole organization at risk.
The U.S. legal industry remained largely untouched by the malware outbreak, but this was largely a fluke. A 22-year-old cyber analyst going by the name of MalwareTech was able to catch a weakness in the program and shut it down before it spread throughout the U.S. Every once in awhile, after all, “fortune brings in some boats that are not steered,” but we’re unlikely to be so lucky again.
While WannaCry cast a wide, wide net of cyberexploitation, many attacks are much more targeted, and they’re increasingly targeted at lawyers. One out of every ten advanced cyberattacks targets a law firm, according to the Harvard Journal of Law & Technology. There’s no wonder why. Law firms are full of valuable information, whether it’s the treasure troves of client data in discovery repositories or confidential, insider information in partner emails.
When those attacks are successful, the costs can be high. One ten-attorney Rhode Island law firm, for example, is currently suing its insurer over losses stemming from a recent ransomware attack. The firm claims it not only lost $25,000 in ransom payments, but an additional $700,000 in lost billings during the time their data was held hostage.
Those expenses may be on the lower side, as well. The average data breach costs $7.2 million, according to the Ponemon Institute, or $214 per client record.
Mirror, Mirror on the Wall, Who’s the Most Susceptible of All?
Last year, the Russian cybercriminal “Oleras” targeted nearly 50 law firms in a sophisticated attack. The goal was to steal confidential information for the purpose of insider trading. The strategy was straightforward, to target lawyers with phishing emails, the same type of emails that led to the recent WannaCry outbreak.
But there was a tweak. In an attempt to tailor their phishing emails to the legal industry, the hackers decided to target attorneys’ vanity. A group Oleras was talking to online suggested that lawyers would be more likely to take the bait if the emails spoke to their high self-conception, Ed Beeson reported in Law360 recently:
Oleras had a list of nearly 50 influential U.S. and U.K. law firms. To figure out which lawyers to target, Oleras and other hackers mined the social media accounts and online profiles of lawyers at the firms, taking note of the ones who listed seemingly every honor and achievement they’d been given.
Those attorneys were then sent emails informing them that they’d won an award from Business Worldwide. With their skepticism overtaken by their pride, attorneys would fall for the trick and invite the hackers into their networks, potentially compromising sensitive client information throughout a firm.
“The group claimed that attorneys have huge egos and [playing on] that would be the perfect thing to make them click on emails,” according to Vitali Kremez, the cybersecurity researcher who uncovered Oleras’ scheme last January.
No one knows for sure if the targeted attorneys fell for the trick, but Oleras “was pretty much happy and satisfied with the campaign,” Kremez says.
Sure, fawning phishing emails are just one way to get hacked. Regular email fraud, minus the sycophancy, remains a constant risk. Two-thirds of malware last year was installed via malicious email attachments, according to Verizon’s 2017 Data Breach Investigations Report, and one in 14 people targeted by phishing emails fell for them.
Another major risk factor is poor “cyber hygiene,” such as a failure to keep your network and security systems up to date, or even to require robust passwords. Eighty-one percent of hacking breaches last year leveraged stolen or weak passwords, the DBIR reports.
A comprehensive approach to cybersecurity will need utilize a variety of strategies to protect sensitive data against loss, theft or compromise — including the occasional ego check. So, the next time you get an email that’s set to stroke your ego, treat it with the same critical eye you’d apply to a message from a Nigerian prince, lest you end up on the wrong side of a sophisticated cyberattack.
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org.