Tag Archives: Law Firm Technology

How Our Law Firm Survived a CryptoWall Ransomware Attack

How one Law Firm Survived a CryptoWall Ransomware Attack
How Our Law Firm Survived a CryptoWall Ransomware Attack

It started with an early Sunday morning phone call. A senior equity partner who writes whenever and wherever inspired complained, “I’m getting an error whenever I try to open Word or PDF documents.” Two hours, and a trip into the office later, we erroneously concluded our case file folder had been corrupted from an unsuccessful backup and a simple scan/repair job would have us back up and running.

Unfortunately, while the scan/repair utility sifted its way through 1.5 terabytes of files, a more destructive tool was worming its way through our network shares as well. It wasn’t until another partner emailed late Sunday evening to inquire about strange file names like “HELP_DECRYPT” saved in his case directory  did we realize we had a more serious problem on our hands. We’d been struck by the CryptoWall 3.0 ransomware virus! (Que Scary Music!)

What is CryptoWall 3.0?

“CryptoWall is “the largest and most destructive ransomware threat on the Internet “at the moment and will likely continue to grow.[1] Essentially, CryptoWall, an evolution from CryptoLocker, uses malware to copy and encrypt commonly used office file extensions, then deletes the original, leaving victims little or no options beyond paying a ransom or losing the ability to recover their files. In a law firm, losing client data, past and present, simply isn’t an option. In our case, the ransomers wanted $700 to supply the key to decrypt our files! Though we had roughly triple that amount in lost productivity and billable hours fixing this mess, negotiating with terrorist simply wasn’t an option! However, fortunately, if your organization has a cold backup the likelihood of recovery drastically increases.

When we investigated just how much the virus purveyed through our network, we noticed it was centralized in the heart of our operation, client case files, and law firm application data shares. Though we knew we had cold back-ups to restore from, we didn’t know if the virus had stopped spreading or even know where it originated. The last thing we wanted to do was to restore our files only to have them encrypted all over again!

$700 Ransom only doubles with time!
$700 Ransom only doubles with time!

Identifying the Source of the Virus

Once you notice your organization has been affected by CryptoWall, some engineers suggest you power down your network switch to prevent spreading. While this works for smaller networks, it may not be feasible, especially for larger organizations. I would simply suggest modifying share permissions to critical shared drives to prevent infected machines from writing to those drives and further spreading. Unfortunately, there is no administrator level method to determine which machine the virus originated from. I had to walk around to each and every machine in the law firm, install, and run applications such as MalwareBytes, Hitman Pro and ListCWall to scan, identify, and remove any locally infected files. Once we identified the source of the virus (HELP_DECRYPT files will appear locally), I scrubbed it clean and proceeded to delete and restore our files.

Restoring the Infected Files

There is something unnerving about deleting 1.5 terabytes of client files even when you know there is a backup, but it was necessary. Besides, all of it was utterly useless encrypted garbage at this point. After deleting, we used an application called Karen’s Replicator to replicate the cold backup drive to the previously infected share drive. It took approximately 2 days to restore 1.5 terabytes worth of data, but it worked, and so far, so good.

We also noticed that QuickBook files, both current, and backups were affected as well. Luckily, we were able to restore company files from previous routine bare metal Windows Server Backup.

How You Can Protect Your Network

The bottom line is this can happen to anyone. One erroneous click on the Internet, opening an attachment from even a trusted source whose email contacts have been compromised can unleash a world of hurt on law firms who increasingly rely on sensitive client data to operate. The more we embrace technology, the more vulnerable we become to it. Keeping end-users up-to-date with safe browsing practices is a start. TechRepublic has some great tips for keeping your network safe and avoiding the likes of CryptoWall 3.0.

[1] CryptoWall ransomware held over 600K computers hostage, encrypted 5 billion files, PCWorld (2014), http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html (last visited Sep 22, 2015).

Law Firm Information Rights Management & Electronic Signatures

Information Rights Management and Electronic Signatures
Protecting Email Signatures

Can my email signature be forged? How about using an electronic signature on legally recognized documents? Both issues were recently presented to me by our senior equity partner at the law firm. My answers, yes & yes, but let me explain. It boils down to understanding Information Rights Management (IRM) and meeting the statutory requirements for using a legally recognized electronic signature.

Issue #1 Information Rights Management

When it comes to preventing email signatures from being altered, copied, or forwarded without authorization, an IRM policy must be implemented. Assuming we’re using an email client such as Outlook 2010 or newer, additional third party Microsoft credentials are required. Here’s how it works.

Information Rights Management (IRM) allows you to specify access permissions to email messages. IRM helps prevent sensitive information from being read, printed, forwarded, or copied by unauthorized people. After permission for a message is restricted by using IRM, the access and usage restrictions are enforced regardless of where the message goes, because the permissions to access an email message are stored in the message file itself.

IRM is generally implemented at the server level using Microsoft Exchange software. Alternatively, IRM is hosted on Microsoft servers by Microsoft for free, but requires a Microsoft Live ID (@hotmail.com email) to use. In order to utilize IRM internally, for example, a law firm would need one of the following: (1) running their own Microsoft Exchange server and managing it in-house, or (2) use a new or existing Microsoft Live ID (@hotmail.com ID) in conjunction with a firms existing hosted email to take advantage of IRM hosted for free on Microsoft servers. Clearly the latter is the most cost effective; however it would require several additional steps in sending an IRM equipped email.

Information rights management and electronic signatures
Legally Recognized Electronic Signatures

Issue #2 Using Electronic Signature

Here in Arizona, under Arizona Revised Statutes, an electronic signature is defined as an electronic process that is attached to or logically associated with a record that is executed or adopted by an individual with the intent to sign the record. A.R.S § 44-7002
Furthermore, a signature is considered secure if, at the time it was made, and applied through a security procedure it is; (1) unique to the person using it, (2) capable of verification (3) under the sole control of the person using it, and (4) linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated. A.R.S § 44-7003

Generally speaking, an electronic signature can be any electronic means of indicating that a person adopts the contents of an electronic message. However, under A.R.S. § 44-7003, to qualify as a secure electronic signature, the operative requirement is element (4), the necessity to have ones identity validated through a third-party security certificate service. Such services are seemingly analogous to credit reporting agencies however solely for electronic identity. Currently, there are seven credentialing services customarily used throughout the industry. Those seven services include ARX CoSign, Avoco secure2trust, ChosenSecurity, Comodo, GlobalSign, My Credential, and VeriSign.

If your firm decides to implement a secure electronic signature digital ID, it is recommended you use a platform you may already be using. For instance, at our firm, we use Norton for anti-virus protection. It just so happens Norton is who issues VeriSign electronic signatures. A yearly subscription is required however, with a digital ID, a possessor would not only be able to securely sign electronic documents, but also send digitally signed emails which, in and of itself, constitutes a secure verified document. The process is fairly simple; a YouTube video explaining the process can be viewed here.


In conclusion, to protect email signatures from alteration, unauthorized copying and forwarding, a law firm has the option to implement Microsoft IRM services through the use of Microsoft Live ID accounts in lieu of costly in-house Exchange server management. Furthermore, secure electronic signatures pursuant to A.R.S § 44-7031, can be achieved through the use of digital ID’s validated through third-party security certificate services.