OSB Professional Liability Fund

Anatomy of a Ransomware Attack: One Firm’s Story

Picture of ransomware
December 20, 2017
by Hong Dao

[This blog post is excerpted from a full article published in In Brief and available here.]

Imagine you post an ad on craigslist to hire a legal assistant. Someone immediately responds by email and attaches a zip file. Believing the file contains the applicant’s resume and cover letter, you click on the attachment and download it to your server. Soon afterward, you can’t access any files on your computer. 
You have just been infected by ransomware.
The above scenario is not fictional. A small law firm in central Oregon was the victim of this ransomware attack. One of the partners, whom I will call Sam, has graciously allowed us to share his firm’s story to help educate lawyers on this type of cyberattack. I will describe the anatomy of this ransomware attack and discuss a few lessons we can learn from it.

The Bait

Before the attorney in Sam’s firm clicked on the bait containing the ransomware, he had already opened other applicants’ emails. But none had a malicious zip file attached. It only took one.

The Infection

 Within a short period of downloading the zip file onto the firm’s server, tens of thousands of documents—essentially all of the firm’s files—were encrypted. No one in the firm could access any files, including their email programs and contact lists. Sam told everyone in the office to stop working on their computer, and he unplugged the server.

The Ransom Note

After the encryption was completed, a note appeared on the downloading attorney’s computer. It said, “Congratulations. Your documents have been protected.” The note then demanded that the firm pay $750 in bitcoins to decrypt the files. It contained instructions on how and where to send the bitcoins within four days.
Sam then contacted a private legal ethics counsel and the FBI. Legal ethics counsel advised the firm on its ethical obligation to notify clients. That obligation depends in part on determining whether the attacker had viewed or accessed client data. The firm made this determination by running a packet sniffer. It is a software designed to search the computer system to assess whether the attacker had installed a proxy server to access the firm’s files. The firm’s IT specialist who ran a packet sniffer confirmed that no third party had accessed the firm’s files.

To read the rest of the article on how the ransom was paid, the recovery, the aftermath, and the lessons, click here.