How Our Law Firm Survived a CryptoWall Ransomware Attack

How one Law Firm Survived a CryptoWall Ransomware Attack
How Our Law Firm Survived a CryptoWall Ransomware Attack

It started with an early Sunday morning phone call. A senior equity partner who writes whenever and wherever inspired complained, “I’m getting an error whenever I try to open Word or PDF documents.” Two hours, and a trip into the office later, we erroneously concluded our case file folder had been corrupted from an unsuccessful backup and a simple scan/repair job would have us back up and running.

Unfortunately, while the scan/repair utility sifted its way through 1.5 terabytes of files, a more destructive tool was worming its way through our network shares as well. It wasn’t until another partner emailed late Sunday evening to inquire about strange file names like “HELP_DECRYPT” saved in his case directory  did we realize we had a more serious problem on our hands. We’d been struck by the CryptoWall 3.0 ransomware virus! (Que Scary Music!)

What is CryptoWall 3.0?

“CryptoWall is “the largest and most destructive ransomware threat on the Internet “at the moment and will likely continue to grow.[1] Essentially, CryptoWall, an evolution from CryptoLocker, uses malware to copy and encrypt commonly used office file extensions, then deletes the original, leaving victims little or no options beyond paying a ransom or losing the ability to recover their files. In a law firm, losing client data, past and present, simply isn’t an option. In our case, the ransomers wanted $700 to supply the key to decrypt our files! Though we had roughly triple that amount in lost productivity and billable hours fixing this mess, negotiating with terrorist simply wasn’t an option! However, fortunately, if your organization has a cold backup the likelihood of recovery drastically increases.

When we investigated just how much the virus purveyed through our network, we noticed it was centralized in the heart of our operation, client case files, and law firm application data shares. Though we knew we had cold back-ups to restore from, we didn’t know if the virus had stopped spreading or even know where it originated. The last thing we wanted to do was to restore our files only to have them encrypted all over again!

$700 Ransom only doubles with time!
$700 Ransom only doubles with time!

Identifying the Source of the Virus

Once you notice your organization has been affected by CryptoWall, some engineers suggest you power down your network switch to prevent spreading. While this works for smaller networks, it may not be feasible, especially for larger organizations. I would simply suggest modifying share permissions to critical shared drives to prevent infected machines from writing to those drives and further spreading. Unfortunately, there is no administrator level method to determine which machine the virus originated from. I had to walk around to each and every machine in the law firm, install, and run applications such as MalwareBytes, Hitman Pro and ListCWall to scan, identify, and remove any locally infected files. Once we identified the source of the virus (HELP_DECRYPT files will appear locally), I scrubbed it clean and proceeded to delete and restore our files.

Restoring the Infected Files

There is something unnerving about deleting 1.5 terabytes of client files even when you know there is a backup, but it was necessary. Besides, all of it was utterly useless encrypted garbage at this point. After deleting, we used an application called Karen’s Replicator to replicate the cold backup drive to the previously infected share drive. It took approximately 2 days to restore 1.5 terabytes worth of data, but it worked, and so far, so good.

We also noticed that QuickBook files, both current, and backups were affected as well. Luckily, we were able to restore company files from previous routine bare metal Windows Server Backup.

How You Can Protect Your Network

The bottom line is this can happen to anyone. One erroneous click on the Internet, opening an attachment from even a trusted source whose email contacts have been compromised can unleash a world of hurt on law firms who increasingly rely on sensitive client data to operate. The more we embrace technology, the more vulnerable we become to it. Keeping end-users up-to-date with safe browsing practices is a start. TechRepublic has some great tips for keeping your network safe and avoiding the likes of CryptoWall 3.0.

[1] CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files, PCWorld (2014), http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html (last visited Sep 22, 2015).

Comments

comments

19 thoughts on “How Our Law Firm Survived a CryptoWall Ransomware Attack

  1. Pingback: Maria Smith
  2. hey there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise some technical issues using this web site, as I experienced to reload the website lots of times previous to I could get it to load properly. I had been wondering if your hosting is OK? Not that I am complaining, but sluggish loading instances times will very frequently affect your placement in google and can damage your high-quality score if advertising and marketing with Adwords. Well I am adding this RSS to my e-mail and can look out for a lot more of your respective intriguing content. Ensure that you update this again very soon..

  3. I’ve learn a few just right stuff here. Certainly worth bookmarking for revisiting. I wonder how so much attempt you set to create this kind of excellent informative web site.

  4. Hey! This is my first comment on your website so I really wanted to say a fast hello and tell you I really enjoy reading through your blog posts. Can you suggest other websites that cover Arvind Pandit Kansas? I’m as well quite interested in that thing! Many thanks!

  5. There are actually great developments on the design of this website, I certainly enjoy that. Mine is about kmspico windows 8.1 and presently there are quite a lot of stuff to do, I’m yet still a starter in web page design. Cheers!

  6. Howdy! This is my very first comment on your site so I just wanted to say a fast hello and tell you I truly enjoy reading your posts. Can you suggest any other blogs that deal with facetime free? I’m likewise extremely interested in this! Thanks a ton!

  7. Thanks for writing this info, I saved the page. I am also looking for facts regarding digital marketing tips, are you aware where I can discover one thing like that? I will be back soon!

  8. Good day! This is my first reply on your website so I just wanted to say a quick shout out and say I truly enjoy reading your blog posts. Can you recommend other blogs that deal with real estate prices? I am also really fascinated with that! Appreciate it!

  9. I am really intrigued to learn what blog platform you are working with? I am experiencing several slight protection issues with my latest website about intercom system upgrade NY so I would love to find something far more safe. Have you got any alternatives?

  10. My partner and I absolutely love your blog and find nearly all of your post’s to be exactly I’m looking for. Would you offer guest writers to write content available for you? I wouldn’t mind producing a post or elaborating on a lot of the subjects you write concerning here. Cool web site!

  11. Hey there, I am really grateful I came across your blog page, I really discovered you by mistake, while I was searching on Bing for insta followers. Regardless I’m here now and would really like to say cheers for a great post and the all round impressive website (I furthermore adore the design), I don’t have time to look over it all at the moment but I have book-marked it and moreover included your RSS feeds, so when I have plenty of time I will be back to go through a great deal more. Please do keep up the wonderful job.

  12. Our LGV (Large Goods Vehicle) HGV training is based in East London, and our LGV/ HGV courses are taught by qualified DVSA LGV & HGV trainers. LGV was formerly known as HGV, where it used to be referred to as HGV Class 2 (now called LGV Category C) and HGV class 1 (Now called LGV Category C+E).

  13. Appreciating the persistence you put into your blog and thorough facts you display. It really is wonderful to find a website occasionally that is not the same outdated re-written content. Great read! I’ve bookmarked your webpage and I’m including the RSS feeds to my own movies to watch website.

  14. Admiring the dedication you put into your website and in-depth info you display. It’s great to find a website once in a while that is just not the similar expired rehashed content. Awesome read! I have bookmarked your website and I am including your RSS feeds to my accident attorney site.

  15. Appreciating the hard work you invested in the blog and in depth material you provide. It is good to come across a blog now and then that is just not the same out of date re-written stuff. Awesome read! We have saved your website and I am adding your RSS feeds to my own best ethereum wallet blog.

Comments are closed.