After weeks of disruption, millions in lost business and recovery costs, and some very bad publicity, a look back at law firm DLA Piper's fight with Petya.
On the morning of Tuesday, June 27th, employees coming in to work at the DC offices of DLA Piper, one of the world's largest law firms, were greeted with something unusual. A whiteboard had been rolled out into the middle of the building lobby with "Attention: DLA Employees" written across it in large, red letters.
"All network servies are down, DO NOT turn on your computers!" the message continued. "Please remove all laptops from docking stations & keep turned off. No exceptions."
As the DC office employees slowly filed past the whiteboard wondering what was going on, text message notifications were urgently being sent out alerting the rest of the firm's employees not to start their computers or connect to the DLA network, either.
The phone systems were down. So was email and the firm's web portal. Without access to communications or documents, operations ground to a halt.
Initial details were scarce, but what eventually became clear was, like thousands of other organizations around the globe, the firm had been infected by Petya malware. As a result, the entire firm — roughly 3,600 lawyers plus support staff scattered across 40 countries — was on digital lockdown.
What no one at DLA Piper knew or anticipated on that chaotic first day of the outbreak was that the lockdown wouldn't be fully remediated for weeks to come.
A full day without phones. Six days without email. Nearly two weeks without complete access to older email and other documents.
It can be difficult to fully appreciate just how debilitating and disruptive an incident like the Petya/NotPetya outbreak has been for any organization, let alone a major global law firm with a huge roster of multinational clients.
According to insurance brokers, the total direct and indirect costs associated with the attack on DLP Piper could be in the millions. In comparison, the ransom demand for the Petya attack was $300 in Bitcoin.
Petya/NotPetya ransom screen
So why didn't the firm simply pay the ransom? Any theoretical principles against funding cybercriminals aside, the simple fact is they couldn't have paid to get their files back even if they'd wanted to. As it turned out, the "ransomware" involved in the attack wasn't actually designed to make file recovery possible at all. It was designed for destruction, not extortion.
That left the firm with only one real option: careful containment and painstaking restoration of infected systems little by little. The last statement the firm issued regarding the status of its recovery was on July 10, nearly two weeks after the initial infection. It acknowledged that while email and other tools central to client services had been brought safely back online, other major systems were still being restored. There's been no indication from the firm since whether that status has changed.
It's likely DLA Piper will be able to recover at least some portion of their losses by filing an insurance claim. Larger firms like DLA Piper are increasingly purchasing specialty cyber insurance that can cover loss of income as well as mitigation and recovery costs from cyber attacks. There have been instances where such claims have been contentious, however, as was the case earlier this year when Rhode-Island-based law firm Moses Afonso Ryan sued its insurer for $700,000 in lost billings due to a ransomware infection that locked down the firm's files for three months.
What is less recoverable is the time lost to the attack — especially important considering the deadline-driven work firms are expected to conduct — and the any potential damage to the firm's reputation and brand.
What can other firms learn from the significant impact this attack had on DLA Piper, and what steps can they take to proactively prevent the next major attack from doing the same thing to them? Before we dive in with a few suggestions, let's take a quick look at how the attack and the firm's recovery efforts have unfolded.
DLA Piper's main office line is down. There are reports they have been hit with Petya ransomware ...— Chris Bing (@Bing_Chris) June 27, 2017
DLA Piper wasn't the first firm to suffer a catastrophic cyber attack, and it unfortunately won't be the last. With their access to and dependency on sensitive, high-value data, firms aren't going to stop being popular and vulnerable hacking targets any time soon. But as one of the most high-profile and hardest-hit victims of this major malware outbreak, it's likely DLA Piper will be the cautionary tale in law firm IT circles for quite some time.
With that being the case, what lessons can other firms learn?
According to one of the firm's statements, its IT team was able to act quickly to prevent the spread of Petya thanks to an alert from its "advanced warning system" that suspicious activity had been detected on the network. While that alert was certainly helpful in notifying them there was a problem so they could stem the bleeding, unfortunately by that point significant damage had already been done.
Today's malware infections move incredibly quickly, and if the purpose of an infection is to render files and systems inaccessible, being alerted that you're locked out after the fact is not ideal security.
The first crucial takeaway from DLA Piper's infection is an important reminder of the value of actively investing in attack prevention (not just detection and response).
As if suffering through weeks of downtime and disruption thanks to a worldwide ransomware attack wasn't enough, adding insult to injury was the fact that DLA Piper had just published a blog post specifically instructing companies on how to avoid falling victim to the next worldwide ransomware attack.
The post, outlining "9 things you should know to protect your company from the next attack" shares some very sensible advice on improving an organization's security posture in a very systematic and long-term way, but there's a very big difference between this...
Implementation: Obtain advice on cybergovernance structure and reporting to C-suite and the board, rectification of RAG report deficiencies based on instructions, develop IT use protocols, cyber policies and procedures, personnel policies and level policies, maintenance of cyber systems and implementation monitoring, update contract methodology around cyber risk transfer and mitigation including vendor template agreements and vendor risk review process, establish business continuity and disaster recovery plans.
...and actually reacting to a sudden ransomware crisis in the moment.
Another key takeaway from this incident is that even for extremely practiced firms and organizations (DLA Piper asserts it has assisted numerous companies in responding to and recovering from cyber attacks), mitigation can take time and be one heck of a bumpy ride. Not only do organizations need a plan, they need to be prepared to adjust and react when things don't according to that plan.
Perhaps the most important (and troubling) lesson from this attack comes from Larry Ponemon, chairman and founder of the Ponemon Institute, a research think tank specializing in data protection. According to Corporate Counsel, Ponemon has worked with DLA Piper as a consultant and considers its data privacy and security measures to be "very good."
Indeed, if a giant global law firm with revenue of roughly $2.5B in 2016 couldn't protect itself against this type of attack, what hope do other firms have?
There's no lack of steps firms can take to better protect themselves against a variety of potential security incidents and attacks. DLA Piper's blog post lists nine — from conducting gap analysis to providing security training.
But while these are good longterm fixes, they don't really address the immediate issue — both Petya and WannaCry were able to expoit some very specific vulnerabilities. To prevent any follow-up attacks also exploiting those vulnerabilities from being successful, firms should do the following five things:
Considering WannaCry and Petya both used an exploit (EternalBlue) that targets a vulnerability in Server Message Block (SMB), investigating whether any machines have port 445 (the port associated with SMB) open and exposed to the Internet should be a top priority.
While they're at it, firms should also do the same thing for port 3389 (the port associated with Remote Desktop Protocol (RDP). We've seen a significant spike in ransomware infections via RDP this year, with attackers scanning for open ports and attempting to brute force their way past weak or default passwords to gain execution.
Using a port scanning tool like Nmap can help you find all the open ports on your network. Keep in mind, attackers have access to these types of tools, as well. Here’s a tutorial from DigitalOcean that walks you through how to test your firewall configuration and see what your network looks like to an attacker.
It's easy to say all machines in your organization should be fully patched and up-to-date, but the reality is deploying patches across enterprise environments can pose significant logistical challenges. There may be machines that you simply can't apply updates to for a variety of reasons. If possible, segment these machines and reduce your risk by limiting what they have access to.
To find out whether any of your outdated machines are vulnerable to EternalBlue you can use the free scanning tool Eternal Blues.
As we consider the number of victims infected by these recent malware outbreaks, and the widespread damage they have caused, it's clear that organizations don't just need to do more in terms of security, they need to do "different."
That means supplementing standard antivirus solutions with newer forms of protection designed to block even never-seen-before malware based on its behavior. To find how Barkly is keeping companies one step ahead of the latest attacks, learn more about how our endpoint protection works.
3-2-1 backup is a best practice that requires you to have three copies of your data in two different locations, one of which is offsite (ex: in the cloud). Making your backup 3-2-1 compliant ensures that even if one copy of your backup is encrypted or destroyed by ransomware you’ll still have at least one off-site copy that can’t be touched.
Just keep in mind recovering from backup should be considered more of a last resort/safety net rather than a silver bullet. Less than half of organizations hit with ransomware report being able to recover all the data that was encrypted with backup.
Once you've addressed the four things above, then it's a good idea to step back and invest in the big picture considerations and activities discussed in the firm's blog post.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.