PROVIDENCE, R.I. — Cybercriminals held a Providence law firm hostage for months by encrypting its files and demanding $25,000 in ransom paid in Bitcoin to restore access, according to a lawsuit filed in U.S. District Court.
Moses Afonso Ryan Ltd. is suing its insurer, Sentinel Insurance Co., for breach of contract and bad faith after it denied its claim for lost billings over the three-month period the documents were frozen by the ransomware infection.
According to the lawsuit, during the time their files were inaccessible, the firm’s 10 lawyers were left unproductive and inefficient — amounting to $700,000 in lost billings.
After paying the Bitcoins, the firm then had to re-negotiate those terms after the initial key to de-crypt their files failed to work. They had to purchase more Bitcoins in exchange for other tools to recover their documents.
Ransomware Develops Into "Valet Thievery" Driven By Phishing Attacks
Attackers are tailoring their demands to their victims, in essence making it a brand of “valet thievery,” said cyber expert Doug White, director of forensics, applied networking and security at Roger Williams University. They might demand $800 from a household, and push that sum into the thousands if they realize they’ve hit a law firm or hospital, White said. They key to the infections are phishing attacks that use social engineeting to trick an employee to open a malicious attachment.
It’s a crime, too, that is vastly underreported, law enforcement agencies say. “The shame of it keeps it from being reported,” White said, as businesses don’t want to sully their image or reveal weakness. “Usually they just pay them off. It’s the cost of doing business.”
Moses Afonso Ryan Ltd. is not alone in falling victim to such a crippling attack. Police departments, town halls, law firms, accounting firms and individuals have been hit across Rhode Island, according to Capt. John C. Alfred, head of the the Rhode Island State Police cyber-crimes unit.
Protecting a network involves everyone in it from a janitor to the CEO
“I never tell anyone to buy the ransomware key because it’s sponsoring illegal activity,” Alfred said. He added: “You have to back-up the data beforehand. That’s what you have to do. You’re not going to get that data back. Even if you pay, you might not get the key.” Protecting a network involves everyone in it from a janitor to the CEO, he added.
Dana M. Horton, representing Sentinel Insurance in the lawsuit, also did not immediately respond to an email and a phone call seeking comment. The company has not yet filed a response in U.S. District Court.
White questioned whether the law firm’s suit would succeed, saying it would “open a giant can of poison worms” for the insurance industry. Alfred, too, emphasized that cyber security insurance is a growing field. “Everybody is going to be insuring their data,” Alfred said.
Heads-Up: Cyberinsurance Does Not Pay Out For Human Error
You need to read the fine print in your cyberinsurance policy if you have one, or if you are negotiating one. These policies normally do not cover incidents caused by human error, they only pay out for software-related vulnerabilities. This is a gotcha you need to be aware of, because your organization might have a false sense of security.
Capt. John C. Alfred, head of the the Rhode Island State Police cyber-crimes unit is right. You do need to step all employees through new-school security awareness training, from the mail room to the board room!
We strongly recommend to phish your own users to prevent these types of very expensive snafus. If you're wondering how many people in your organization are susceptible to phishing, here is a free phishing security test (PST):
Full story at Providence Journal.