Ransomware: A primer for lawyers
Exfiltration is on the rise. Lawyers need to know how attacks like exfiltration are investigated to prevent further damages to a client or firm’s finances and reputation. Our digital forensic examiners team up with you to understand the scope of the attack and help your investigation.
What is ransomware?
First, let’s get clear on ransomware.
Ransomware attacks often involve the threat of exfiltrated data. Attackers threaten to publish stolen, sensitive data unless someone pays a ransom.
Here’s what goes down in the event of a ransomware attack:
Ransomware attackers, or cyber attackers, steal your data before encrypting it. And they’re only getting more sophisticated. Think of it like someone stealing something in your house but first changing the locks and holding the new keys hostage. Instead of physically breaking into your home, ransomware attackers enter your device through an email attachment you opened, an ad you clicked on, a hyperlink you followed, or a website you visited that’s embedded with malware (FBI.gov).
These phishing attacks aren’t detected right away. Code is loaded onto your computer and coders work in the background until your files and data are locked and inaccessible. The process could take weeks until you see messages demanding payment to access your data and files again.
Now, back to exfiltration. Exfiltration often relies on circumstantial evidence. Once files are encrypted, usually during exfiltration in most ransomware attacks, firewall log data is encrypted if it’s being saved or stored in the network.
Culprits of ransomware attacks often go for laptops, workstations, and other user-controlled devices – consider starting here to investigate exfiltration attacks. Be mindful that the attackers may have targeted network backups and can disable software used to detect a ransomware attack.
Unfortunately, most ransomware investigations happen after the attack has been deployed. There are precautions your clients can take to prevent an attack.
- Look for red flags in activity such as a user logging into a system from a different country at an unusual time of day.
- Review log activity
- Review and update retention policies
- Make a plan
- Automate anti-virus and anti-malware solutions and run scans regularly
- Enable two-factor authentication
- Backup often and in many places, especially with one isolated backup so data can’t be encrypted or destroyed
- Update your devices’ software often
Stuck? Our examiners know where to look for other clues and can help you fill the holes in your client’s network exfiltration story. Give us a call.