Hackers attack Legal Services firm Law in Order with Ransonware
November 25, 2020 |
I have long posted on law firms being in the sights of cyber criminals. I raised this as an increasing threat in September last year and attacks on Queensland law firms in 2017 and European law firms in 2016.
The Australian Financial Review reports, in Hackers threaten to publish data from attack on legal services firm, report on a cyber attack on 22 November 2020 by hacker legal services firm Law In Order suffering a Ransomware attack with the hackers threatening to publish data unless a payment is made. The story is also covered by itwire, insurance business mag, and itnews. That list will grow.
Law In Order issued statements of what happens. It is far from a best practice response. General waffle. Full candour is not always possible because investigations take time. But that does not mean that writing excessive meaningless verbiage is the answer. That is particularly so when the Australian Financial Review has key information about the attack, for example that it was undertaken by Netwalker and is a ransomware attack. That makes the statement look even sillier than its generally poor drafting.
The statements provide:
On Sunday 22nd November 2020, Law In Order experienced a cyber security incident.
Over the weekend, Law In Order was the victim of a cyber security incident. As a precaution, to protect information and systems, we limited access to segments of our network, which also halted much of our business operations.
We have engaged expert cyber security investigators and advisers, who are working with our team to investigate and respond to the incident. Our priority is to restore systems back online safely and quickly.
We are making progress, however it is important that we do this methodically and safely as we work to resume normal business operations.
We are undertaking a thorough forensic investigation to understand the scope and details of the incident. This includes the extent to which information has been affected. We are assessing reports that a very small proportion of data on Law In Order’s servers has been exfiltrated and proactively advising customers who may be impacted. We have committed to being open and transparent with our customers and will continue to keep them informed as our work progresses.
We will continue to work closely with our cyber security advisors, as well as the Australian Federal Police (AFP) and the Australian Cyber Security Centre (ACSC), and to follow best practices while we work on restoring operations in a safe and secure manner.
…
Last Update – 23 November 2020
As a precaution, to protect information and systems, Law In Order has limited the access to much of its network which has therefore halted much of our business operations.
We have engaged expert cyber security advisors, and they and our IT team are actively investigating the incident and responding to it, and working to bring systems back online safely and quickly.
We are making progress, however, it is important that we do this methodically and safely as we work to resume normal business operations.
We are investigating the extent to which information contained in our system, including sensitive personal information, has been affected. At this stage we have seen no evidence of data exfiltration nor anything that indicates Law In Orders’ customers’ networks have been compromised.
We will work with law enforcement agencies and privacy regulators as required.
This year we have seen several high profile cyber security incidents impacting Australian companies and public sector entities.
We will keep you informed as we learn more.
The hackers seem to be Netwalker, a strain of ransomware that dates back to August/September 2019. Netwalker has graduated from the tried and true distribution of malware through spam emails that tricked victims into clicking on phishing links to focusing on bigger targets and gaining access to the networks of by manipulating unpatched VPN appliances, weak Remote Desktop Protocol passwords, or exposed spots in web applications. It is not known which weakness Law In Order had.
Netwalker is a new variant of ransomware which spreads through VBScripts. A successful attack can then affect all the machines connected to the same Windows network.
Netwalker ransomware terminates all processes and services running with Windows, encrypts the files on the disk, and deletes backups that are stored in the same network. The attackers access sensitive data, which are used to blackmail victims into paying a ransom or the material will be leaked online. Screenshots of stolen files together with a countdown are published on Netwalker’s public shaming website. Usually victims are given a week to pay the ransom.
The article provides:
Legal services firm Law In Order has been hit by a ransomware attack, with hackers claiming to have stolen data and threatening to publish it if the company fails to pay up within seven days.
Law In Order is a major supplier of e-litigation services and counts among its clients law firms including King & Wood Mallesons, Allens and Gadens, as well as several royal commissions.
The company is the latest in a string of high-profile ransomware victims, with logistics company Toll Holdings, beverage giant Lion and Downer-owned facilities management company Spotless also hit this year.
Hacking group NetWalker claimed responsibility for the attack on Tuesday and published what it claimed were screenshots of folders from Law In Order’s internal system on its dark web blog.
NetWalker also published extracts from Law In Order’s website, including that the company had “rigorous protocols” and “iron-clad security”.
“It’s no wonder so many top-tier law firms, blue-chip companies and government agencies trust us with their highly sensitive and confidential information,” an extract from the company’s About Us page read.
One person working in the sector described e-litigation suppliers as the keepers of corporate Australia’s most sensitive secrets.
In a statement, Law In Order confirmed the attack and said it had taken defensive steps to limit access to its network which had subsequently “halted much of our business operations”.
The statement said the company had engaged cyber security advisers CyberCX, who were working to respond to the attack, and Law In Order was proactively advising customers who may have been affected.
“Over the weekend, Law In Order was the victim of a cyber security incident,” the statement said. “We are undertaking a thorough forensic investigation to understand the scope and details of the incident.
“We are assessing reports that a very small proportion of data on Law In Order’s servers has been exfiltrated and proactively advising customers who may be impacted.
“We are making progress. However, it is important that we do this methodically and safely as we work to resume normal business operations.”
Law In Order did not respond to questions about whether the company was considering paying a ransom.
Spokespeople for KWM and Allens confirmed Law In Order was a vendor for their firms and they were receiving regular updates.
“We take the security and confidentiality of our client information extremely seriously and we are actively working with Law In Order to understand the nature and extent of the breach and the extent to which it impacts KWM and our clients,” a KWM spokeswoman said.
Brett Callow, a threat analyst for Emsisoft, said the NetWalker ransomware-as-a-service operation specifically targeted larger organisations.
“Like multiple other ransomware operations, NetWalker steals its victims’ data and uses the threat of releasing it online as additional leverage to extort payment,” Mr Callow said.
“Ransomware continues to become increasingly problematic. The average demand has increased from about $US5000 [$6835] in 2018 to more than $US150,000 today.
“Additionally, the fact data is stolen means that incidents are very often data breaches which can result in sensitive information leaking online and, of course, expose organisations to legal liability issues.“
While screenshots of internal folders may indicate penetration of the company’s systems, it does not mean data was copied or removed.
A similar attack and blog post from another ransomware operator last week on the Melbourne branch of accounting firm Nexia did not, according to the company, result in any data being stolen.
Emsisoft estimates ransomware will cost the Australian economy about $US160 million in 2020 in terms of ransom demands.
“When downtime is factored in, the cost increases to more than $US1 billion – and that’s an extremely conservative estimate,” Mr Callow said.
Law In Order is also working with the Australian Federal Police and the Australian Cyber Security Centre.
Law firms are a favourite target for cyber attacks. Unfortunately the quality of training and cyber protection is often lacking, particularly in smaller operations. In a very interesting recent itwire piece, Windows REvil ransomware group member says annual take is US$100m, a member of a ransomware group REvil stated that law firms as well as agriculture companies, insurance companies, Internet service providers, and manufacturers were preferred targets because they paid ransoms to get the decrypt key rather than run the risk of data being published online.