It’s not often that Rolling Stone Magazine discusses Network Security. So when they do, you know to pay attention.
Did network security just become “cool?”
Unfortunately no, that will never happen anywhere but in our most outrageous pipe dreams. What happened was: the Entertainment law firm representing celebrities such as Lady Gaga, Bruce Springsteen, and Madonna, was hacked. And the private data of their most prestigious clients was held for ransom.
“It seems that GRUBMANS doesn’t care about their clients or it was a mistake to hire a recovery company to help in the negotiations,” the hackers wrote. “As we promised, we [published] the first part of the data because the time is up.”
— REvil
From Rolling Stone, “Celeb Law Firm Refuses Hacker Ransom as Lady Gaga Files Leak”
This is bad news for more than Grubman Shire Meiselas & Sacks, more than their clients, and the countless fans who do not want to see the backstage legal dealings of the music industry; it is bad news for law firms, which are now much more likely to be targeted in the future.
REvil — the hacker organization responsible for the data heist — has been perfecting this strategy for the last year, leaving a wide trail of data breaches and extortions in their wake. This group has become a “Google” of the hacker community, and these attacks still only show signs of expanding to larger and larger targets.
Whether REvil continues to target law firms or moves on, the fact that they have targeted one could potentially set a new trend. The likelihood of that grim possibility depends on a number of factors ranging from success to adoptability. Clearly Google can do some things no one else can do. But if the strategies, tactics and tools deployed against Grubman Shire Meiselas & Sackswith are easy to mimic, then we could potentially see many mid-sized and smaller firms under attack.
Why Does REvil Target Law Firms?
First it will help to understand the historical progression of this strategy because it reveals certain tactics that are likely to persist simply because they have persisted in a strategy that has evolved constantly since its inception.
Platte River Networks wrote about REvil four months ago in “Ransomware Now Threatens to Publish Your Data” because they were metastasizing at an alarming rate and had already rewritten the rules of ransomware. They had developed two new ideas about how to ransom an organization.
1. Data is worth more as a hostage than business continuity
Until 2019 the focus of ransomware was exclusively business continuity. A piece of malware would hold IT assets hostage until a fee was paid, disabling critical systems. If you think about it, it isn’t obvious at all that data should be worth more than critical functionality. It seems like the whole system should be worth more than one thing the system contains. But in practice, a potentially dead business is worth less to save than a live one. This, and the fact that shame of losing sensitive information is a public relations nightmare, far harder to recover from than the tragedy of a destroyed IT infrastructure, make data extortion more valuable than IT assets.
2. Financially sensitive information is worth less than privileged information
REvil is not the only group to try its hand at extortion, but it has improved the tactics and tools used to leverage private information. The group releases private information in waves, on publicly available, anonymized websites. This makes the information public knowledge for paparazzi, journalists, and just your average curious person.
3. Higher returns from one breach affecting many tied records than many breaches.
Late last year REvil discovered they could ransom dozens or even hundreds of victims with only one breach. A number of IT firms fell victim, and REvil proceeded to extort each individual client with the data they reaped. We see this idea at play in this most recent case, but to date we have not seen a victim as sensitive to this tactic as a law firm.
Will Other Hackers Be Able to Mimic REvil Easily?
Now that we’ve looked at the “returns,” it’s time to look at the costs. The hacker group clearly has some talented hackers working for it. So, how good do you need to be in order to copy REvil?
There are always proprietary mechanisms for gaining entry to well-defended organizations that cannot be copied, if only because they have a low shelf-life. These cannot be copied, and even if REvil sells its software on the black market, security firms will be able to adapt and defend their clients against copycats.
However, the threat increases for smaller law firms that might not have sophisticated defenses. Typically we see copycats try to pick off smaller targets with older systems. That’s why municipal governments were popular targets at first. With older systems, breaching was simpler. This allowed REvil to fund their operations while developing the basic toolkit, almost like a prototype. Now it’s about scaling. This latest heist demanded $42 million, and we only know about it because instead of paying, Grubman Shire Meiselas & Sacks did the right thing and hired a security company rather than pay the ransom and feed a growing cancer.
How Can Small and Mid-Sized Law Firms Protect Themselves from Ransomware?
It is impossible to say how many firms have been targeted thus far, or how many will be targeted in the next year or two. However, judging from the success of these emerging tactics we would highly recommend taking action to add additional layers of network protection.
If you do not have an IT/security firm, consider hiring one. If you have one, take additional steps to increase security, such as multi-factor authentication, Zero-Trust protocols, employee trainings, encryption, and additional security features that will not only make your firm harder to penetrate, but also protect your sensitive data against intruders. Platte River Networks deploys a full suite of online and offline protections. We adapt our protections in response to the most recent cyberattacks across the globe and since founding in 2002 have had a 100% defense rate. Not a single client of ours has been hacked.
We cannot say whether REvil will continue to target law firms, or for how long. Perhaps the group will soon find another target profile that returns even more value. But we do urge extra precautionary measures for all previous REvil victim profiles, especially municipal governments and law firms.
We have worked extensively in the legal space for 20 years and currently provide full managed IT services to over 20 law firms. If you have any questions please feel free to contact David DeCamillis at david@platteriver.com for more information.