The Federal Bureau of Investigation (“FBI”) recently sent a confidential advisory asking that businesses and software security experts assist in its fight against one of the most malicious new types of cyber-attacks facing the country – a ransomware virus used by hackers for extortion. The FBI asked that those that had been attacked, or had other relevant information that may help in its investigation to immediately contact the FBI’s CYWATCH cyber center.
A ransomware attack is a form of cyber-attack where a hacker encrypts and locks the victim out of its own system and data and files and demands a ransom in return for access. In particular, the FBI is focusing on a type of ransomware attack known as MSIL/Samas.A, which encrypts data on an entire network, rather than one computer at a time.
Ben Johnson, co-founder of Carbon Black, a cybersecurity firm that recently uncovered another type of ransomware that attacks through infected Microsoft Word documents, state that “this is basically becoming a national cyber emergency.” The industries that appear most impacted by ransomware attacks include those that rely heavily upon computer access for its core functions, such as healthcare and law enforcement. By way of example, in early February 2016, Hollywood Presbyterian Medical Center, a hospital in Los Angeles, suffered a ransomware attack that left it without access to email or electronic medical records for almost two weeks. Like many other victims of ransomware attacks, the hospital ultimately decided to pay the attackers the ransom of 40 bitcoin, the equivalent of approximately $17,000.
Since at least 2009, the FBI, the U.S. Secret Service, and other law enforcement agencies have warned law firms that their computer files were targets for cyber criminals and thieves in China, Russia, and other countries, including the U.S., looking for valuable confidential and proprietary information including corporate mergers, patent and trade secrets, litigation strategy, and more. “If you’re a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim,” said Chad Pinson, a managing director at Stroz Friedberg, a New York-based cybersecurity firm. “The question is, what are you doing to mitigate it?” With so much at stake, at the very least, law firms should have a basic understanding of the cyber risks facing them today so that they can manage risk and compliance relevant to PHI, PII and privacy issues.