The following is an excerpt from a fraud alert posted recently to the LawSites website, with a scenario that continues to threaten Nova Scotia lawyers:
"Five U.S. law firms — three in the last 24 hours — have been among the companies and organizations targeted by a new round of ransomware attacks. In two of the cases, a portion of the firms’ stolen data has already been posted online, including client information. This according to Brett Callow, a threat analyst with Emsisoft, a cybersecurity company that is also an associate partner in the No More Ransom Project, an initiative between multiple law enforcement agencies and the private sector. Hackers have stolen data from at least five law firms, using the threat of releasing the data to extort payment from the firms, Callow said. In the two cases in which hackers already posted law firm data, they published it on the clear web where it can be viewed by anybody.
The hackers are using the so-called Maze ransomware, which was the subject of a warning issued to companies earlier this month by the FBI. Earlier this week, Ars Technica reported that victims of the Maze ransomware attacks have included a grocery chain, a CPA firm, and a college. The hackers infiltrate systems using email with malicious attachments, Callow said. He does not know the exact nature of the emails being used against law firms, but he assumes they are being crafted in such a way that lawyers are likely to open them. Their modus operandi is to initially name the companies they’ve hit on their website and, if that doesn’t convince the companies to pay, to publish a small of the amount of their data as 'proofs.'
'This makes sense,' Callow said. 'The more data they publish and the more sensitive that data is, the less incentive an organization has to pay to prevent the remaining data being published. It’s the equivalent of a kidnapper sending a pinky finger.' If the organization still doesn’t pay, the remaining data is published, sometimes on a staggered basis, he said. The group has also published data in Russian hacker forums with a note to 'Use this information in any nefarious ways that you want,' Callow said. 'Once a company does pay, then its name is removed from Maze’s website.'
Similar ransomware virus attacks have been reported in Nova Scotia. A ransomware-infected email link or attachment may appear to be from a financial institution or company (e.g. a package delivery service), or, in recent times, with regard to COVID-19 related matters. Once an infected link or attachment is opened, the virus will begin to corrupt the victim’s system files. A pop-up window will soon appear on the computer screen, restricting access to the system and its files until a ransom is paid to the creator of the virus.
These warning messages may also claim to be from the RCMP or other government agencies stating that their computer has been frozen for a criminal investigation involving 'child pornography' or 'illegal music downloading'. This is an attempt to scare victims into sending money to unlock their system, although the computer will not be unlocked if the money is paid – the scammers will disappear once the funds are transferred.
These programs install themselves and encrypt files on the computer’s hard drive, and are extremely difficult to remove, with no guarantee that your data can be recovered. Here’s how to protect yourself:
- Be vigilant about the legitimacy of all emails received – do not open email attachments or click links from unverified senders
- Never click on a pop-up that claims your computer has a virus
- Turn on your browser’s pop-up blocking feature
- Keep your anti-malware and firewall programs up-to-date and perform scans on a regular basis
- Schedule regular system updates and maintain backups of your data to ensure that your files are protected
- Never download anti-virus software from a pop-up or link sent to you in an email
- If you’ve received a ransomware message, contact the Canadian Anti-Fraud Centre (1-888-495-8501) to report it
- If your computer becomes infected, do not pay the scammer’s ransom request – have it cleaned by a computer repair service to remove any malware.
As we've warned in the past, we bring this to your attention for several reasons. Social engineering fraud is not part of the cyber coverage we offer in our policy. In the similar cases, coverage has been denied by a cyber insurer when the lawyer/firm did not have the social engineering rider on its commercial cyber policy. Second, depending on the facts, there may not be coverage for such a fraud under the professional liability part of your insurance policy either. Accordingly, a lawyer falling victim to such a fraud who lacks appropriate insurance coverage could be in the position of having to reimburse their trust account for the loss.
For tips to avoid being victimized, or to report or seek advice on dealing with fraud and scam attempts, contact Cynthia Nield at cnield@lians.ca or 902 423 1300, x346.