How Law Firms Can Spot and Stop Ransomware Attacks

Brad Paubel
Chief Technology Officer & Chief Operations Officer, Lexicon

Originally published in the December 2021 issue of the St. Louis Lawyer magazine. Download PDF.

Law firms make rich targets for ransomware attacks because they are entrusted with so much sensitive information. That can prove irresistible to hackers, who are increasingly organized and sophisticated in their approach. Thankfully, there are ways lawyers and law firms can protect themselves to both prevent a ransomware attack and even stop one that is in progress before a situation becomes dire.

How ransomware works

Ransomware attacks happen when a bad actor, a cybersecurity adversary interested in attacking information, uses "phishing" to trick someone in an organization into clicking on a link or downloading a file that then installs a virus on their computer. That malware then spreads to any connected networks and computers. Users will then receive a ransom demand asking for payment — usually in Bitcoin or another cryptocurrency — to decrypt the files.

Know the early signs of a ransomware attack

Thankfully, there are warning signs a ransomware attack is imminent or underway. They include:

• Increased phishing attempts. An uptick in spam emails could be a sign bad actors are trying to plant malware. Any increase in phishing attempts should immediately set off alarm bells.
• Unauthorized access alerts. IT may see a lot more unauthorized access attempt notifications, and users could receive emails letting them know someone has tried to reset their password.
• Virus protection alerts. It is a bad sign if antivirus software starts sounding the alarm about potential malware.
• Scrambled file names or contents. If a user is looking at their drive and notices their usual file names have been replaced with unrecognizable gibberish or cannot be opened, that could be the early start of a ransomware hack.
• Computers locking up. Malware can interfere with a computer's operating software and that will cause performance issues, including system freezes. If these start to happen out of nowhere, ransomware could be the culprit.

Preventing and dealing with a ransomware attack

There are several steps to take to prevent ransomware attacks and address them to mitigate potential damage.

• Back up to the cloud. Firms should make regular backups a priority, preferably to the cloud or to an offsite location. That way, if there is an attack, a clean backup is available to reinstall once any trace of malware is removed from the onsite systems. Cloud backup services also regularly scan data for malware and other viruses, acting as a stopgap to any measures a firm has in place.
• Disconnect. Immediately. Even the slightest indication that a ransomware attack has happened or is happening should lead a user to immediately and completely disconnect their computer from the law firm's network(s). That includes both physical connections (i.e., LAN cable) and Wi-Fi. The computer should be completely air-gapped, meaning no data is going between it and the rest of the firm's computers.
• Clean the affected computer(s). Once an infected computer — or computers if the malware has spread — is disconnected, you can start searching for the malware to remove it. This can be tricky and third-party service providers will do it for you to ensure it is completely gone. There is software for this, too, if cost is an issue.
• Restore from backup. Only after a system is completely clean should data be restored from a cloud backup.

Do not panic. You can fight ransomware

Sooner or later, most firms will face a ransomware attack. The key is ensuring everyone knows how to spot one and what to do if they suspect something is amiss. That will go a long way to mitigating any potential damage.