The Cyberdivision of the FBI is serious about ransomware! An FBI speaker last Friday at the SC Bar’s excellent tech seminar, an annual seminar I highly recommend for solo and small firm lawyers, emphasized awareness and employee training are critical to prevent data losses in your operation.
Ransomware is a form of malware that is most often delivered through spear phishing e-mails. Spear phishing is a type of e-mail fraud that seeks unauthorized access to confidential data. Ransomware is what it sounds like. Once the fraudster gains access, your system is locked down, and money is demanded to provide access. You have to pay for your own data!
“H4ck3rz R Us, how can I help you?”
The FBI recommends prevention, business continuity and remediation, but suggests that there is no guarantee of prevention even with the most robust controls in place. Methods of prevention include:
Provide extensive awareness and training for your staff.
Use strong anti-virus and anti-malware solutions that are set up to update automatically.
Regular scans should be conducted of the anti-virus and anti-malware solutions.
No user should be assigned administrative access unless that access is absolutely needed.
Those with administrative accounts should only use them when necessary.
Keep access to a minimum. If a user only needs specific files, he or she should not have access to other files.
Ask your IT professionals to implement controls to avoid common ransomware techniques.
But since prevention is not guaranteed, the most attention should be paid to business continuity and remediation. In short, back up your data regularly and regularly verify the integrity of the backups. Secure backups. Ensure backups are not connected to the computers and networks they are backing up.
The FBI does not endorse paying a ransom to the fraudsters and teaches that paying the ransom does not always ensure regaining access to data.
June 9th’s E-Blast from the SC Bar contained the following warning:
Alert: Phishing emails targeting lawyers
SC Bar members are cautioned to be aware of emails indicating that a complaint has been made against the lawyer or firm, or that they contain a special message from the Bar president. Such emails are not coming from the Bar and would be an attempt to phish members. Delete them immediately. Phishing emails are fraudulent emails that may contain links to phony websites or may request that you share personal or financial information by using a variety of techniques.
There may be clues, including a suspicious “from” email address. The email may include directions to click on a link, which purports to be a copy of the complaint or of the “special message.” Do not click this link, as it could be an attempt to put “ransomware” on the affected computer. Bar members are reminded that any official grievance would come via U.S. mail from the Supreme Court and that any important Bar announcement would appear in E-Blast or would be sent by an individual Bar staff member.
And on June 20, I received the following e-mail:
A “complaint” is enough to strike fear in the heart of any lawyer. The scammers rely on a stress-induced knee-jerk reaction result in clicking on the link. Clicking on the link is the first reflex in our fast-paced world. Fortunately, we have received warning after warning about this kind of phishing activity.
The most obvious clues in this particular scam were:
The e-mail was from “complaint Dept” and the address was firstname.lastname@example.org. Nothing there reflects the SC Bar.
The name of our bar association is the South Carolina Bar. The South Carolina Bar Association is a common misnomer.
I don’t have a “law practice”. I work for Chicago Title Insurance Company.
The South Carolina Supreme Court handles disciplinary complaints, not the SC Bar. And the Office of Disciplinary Counsel uses snail mail.
A huge thanks to the SC Bar for the warning! Be careful out there!