Brett Callow of Emsisoft says ransomware attacks have struck five law firms recently, including three just this past weekend. Two of the affected firms have already had their information, which includes that of their clients, posted online for anyone to view. This is a tactic used by the attackers to urge the companies to pay the ransom. There is strong evidence that suggests Maze is the ransomware being used in these attacks. In this case, the malware made its way into the systems by way of emails that included malicious attachments that were more than likely crafted in a way that would get lawyers to open them. Callow is quoted saying, “The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published. It’s the equivalent of a kidnapper sending a pinky finger.” If the ransomware is paid, the group will remove the paying company’s data from their website.
It cannot be stressed enough how important it is to have secure backups of files stored offline. Quality backups are one important layer of defense against any ransomware. However, since attackers have started releasing stolen files to the public instead of simply encrypting them, backups alone are not sufficient to prevent all damage. It is important to have a monitoring system in place to discover attacks in the early stages before attackers have the chance to discover sensitive files and steal them from systems. Never open attachments if the sender is unknown, especially document and spreadsheet files that include instructions for the recipient to click the “enable content” button to allow active content to run in the document. It is also advisable to have tools available that scan attachments before they’re opened. The combination of anti-virus software with endpoint detection and response (EDR) tools can help prevent or stop intrusions. At Binary Defense, our Security Operations Center analysts can stop security issues from spreading by identifying suspicious activity and taking quick preventative action to isolate infected computers from the network and prevent data theft, alerting our clients as soon as it is spotted.