Here Peter Groucutt, managing director of Databarracks, tells us what is known so far about the recent global cyberattack that was disguised as ransomware and has affected DLA Piper among thousands of other major corporates. Groucutt explains how the virus – disguised as ransomware – is in fact a wiper designed to damage data; how companies may have become infected; whether infection is a sign of organisational failure; and what steps law firms must take to protect themselves. Here’s a clue – back up.
What do we know about the virus so far?
We know is that it’s a variant of the WannaCry ransomware but the similarities between the two things are only surface based and that’s where they stop.
WannaCry was an old very widely available piece of ransomware that was essentially weaponised with some additional code that was taken from the NSA. What that did was it made a widely recognised piece of ransomware which exploited old and unpatched servers and allowed it to spread more aggressively. NSA had allowed the installations on networks of infected machines that could talk to each other.
WannaCry had a kill switch in it and was probably a bit of an experiment designed to generate money. It raised $80,000 and interestingly the money hasn’t been taken. So almost certainly it was a criminal attack designed to create revenue but the perpetrators got scared.
The second attack is interesting because on the surface it pretends to be ransomware but the address and keychain means they can never tell that anyone has paid into it.
If you pay, they can’t tell you’ve paid, so it’s a fake. There’s no decryption key and they can’t access the money. It’s just a malicious attack, called a ‘wiper’, which is just there to delete and destroy as much data as possible.
Initially it was targeted at the Ukraine and it’s because again it’s got this weaponization using NSA infection mechanism that it has then spread so viciously. It has all the hallmarks of a nation state sponsored attack. Everyone else is collateral damage and it’s very irresponsible and tantamount to cyber terrorism.
How did businesses become infected?
They can get in in all sorts of ways and there are all sorts of infection mechanisms.
It could well have been someone clicked on something relatively innocent. It could have been embedded in Office 365 documents. Things are being embedded in Google Docs and in websites. You don’t necessary even have to click on a link.
Is infection a sign of a cyber failing on the part of those affected?
Failing is too strong a term. What you’ve got is a balance between security and allowing the technology to do the job it’s designed to do. It’s the same quandary with terrorism. How can you legislate against someone driving a car at a crowd of people? The only way to stop it is so draconian that you wouldn’t be able to do anything. We’re in an arms race at the edge of cybersecurity with criminals testing every edge and route and piece of firmware and every firewall and every packet transaction to find and exploit a vulnerability and the security firms are hardening more and more and closing loop holes as they become aware. In the middle, you have people trying to transact business. The balance between protecting yourself and not exposing yourself to risk is where we are.
I can tell you for a fact that we’re restoring data for law firms all the time after cyber attacks. Eighty percent of all of the restores we do now is to do with ransomware of one kind or another.
What everybody is very mindful of is that it’s ransomware, its WannaCry, its Crypto locker, but they have their eyes closed to what’s lurking in the dep which is spyware. You know you’ve been hit by ransomware because it says ‘give us your files or we’ll delete them’ but if you have a senior partner who clicks on the link and nothing happens but could be spyware reading his emails and gathering passwords undetected.
People are focussing on a street mugging compared to a potential bank robbery.
The only way to legislate against things like that are to have very clever machine learning type systems like Darktrace.
What should law firms be doing to protect themselves?
You have three strains of approach to cyber resilience in high level strategic terms. If you’re an IT director or managing partner or in risk thinking ‘what approach can I take now’ there are three options:
– I can put in place some technology such as antivirus and anti-spam and I can keep all those up to date. I can make sure my software is up to date and install operating system patches and make sure I have good security.
– I need to get rid of the entry point and the weakness, which is the human interaction. There’s a very famous picture back from 2006 that has started to go round the circuit showing in one hand all the antivirus and antispam technology you could ever buy and in the other corner is Dave. At the end of the day, you can do absolutely everything right but how do you legislate against the pink squidgy thing in the middle who is inherently fallible? On the one hand, you have to have awareness training at least biannually and have senior management buy in. Then there are companies now that will send spear phishing tests and do social engineering to highlight your weaknesses.
– I need to back everything up. If it all goes wrong I need to be able to say ‘I can get my data back because I‘ve taken a copy.’ That’s so important because technology and people are both fallible. Tech is changing all the time and attacks are coming thick and fast so all these security updates take a while to fix and roll out. And the people, well law firms aren’t as bad as bad as recruitment consultants but still pretty bad. Those industries have a high volume of incoming emails from different sources with lots of attachment types. They work in a high paced environment. If you have lots of lawyers receiving unsolicited emails with attachments and if you think no-one’s going to click on something you’re mistaken. So, you have to be able to get your data back and data recovery is only as good as your data backup. We say it has to be fully managed and monitored because IT teams in law firms are busy upgrading the DMS or doing all the other things they should be doing. Because the backup is not on fire it tends to get forgotten.
What are the key takeaways for law firms?
A lot of big firms have the attitude that their data is replicated across different data centres but if you get a nasty virus it’s just replicated around those different data centres. The only way to prevent it is to have backups. We go into plenty of big companies that have back up with tapes that are really difficult to restore. They should use an enterprise software product that is constantly tested and updated. The key takeaway for law firms that they are in an arms race and soon enough they’ll get it wrong.
Peter Groucutt is managing director of Databarracks, which provides law firms with disaster recovery solutions including disaster recovery as a service.