<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Stats & Trends
Jonathan Crowe
Jul 2017

How One of the World’s Largest Law Firms Was Paralyzed by Petya

After weeks of disruption, millions in lost business and recovery costs, and some very bad publicity, a look back at law firm DLA Piper's fight with Petya.

On the morning of Tuesday, June 27th, employees coming in to work at the DC offices of DLA Piper, one of the world's largest law firms, were greeted with something unusual. A whiteboard had been rolled out into the middle of the building lobby with "Attention: DLA Employees" written across it in large, red letters. 

"All network servies are down, DO NOT turn on your computers!" the message continued. "Please remove all laptops from docking stations & keep turned off. No exceptions."

As the DC office employees slowly filed past the whiteboard wondering what was going on, text message notifications were urgently being sent out alerting the rest of the firm's employees not to start their computers or connect to the DLA network, either. 

The phone systems were down. So was email and the firm's web portal. Without access to communications or documents, operations ground to a halt. 

Initial details were scarce, but what eventually became clear was, like thousands of other organizations around the globe, the firm had been infected by Petya malware. As a result, the entire firm — roughly 3,600 lawyers plus support staff scattered across 40 countries — was on digital lockdown.

What no one at DLA Piper knew or anticipated on that chaotic first day of the outbreak was that the lockdown wouldn't be fully remediated for weeks to come.

A nightmare scenario with costs in the millions

A full day without phones. Six days without email. Nearly two weeks without complete access to older email and other documents.

It can be difficult to fully appreciate just how debilitating and disruptive an incident like the Petya/NotPetya outbreak has been for any organization, let alone a major global law firm with a huge roster of multinational clients. 

"Consider litigators unable to access motions on a deadline. Trial lawyers preparing for arguments without key documents. Transactional lawyers unable to communicate with clients attempting to close multibillion-dollar deals."

— Roy Strom, The Am Law Daily

According to insurance brokers, the total direct and indirect costs associated with the attack on DLP Piper could be in the millions. In comparison, the ransom demand for the Petya attack was $300 in Bitcoin.

petya_ransom_screen.png

Petya/NotPetya ransom screen

So why didn't the firm simply pay the ransom? Any theoretical principles against funding cybercriminals aside, the simple fact is they couldn't have paid to get their files back even if they'd wanted to. As it turned out, the "ransomware" involved in the attack wasn't actually designed to make file recovery possible at all. It was designed for destruction, not extortion.

That left the firm with only one real option: careful containment and painstaking restoration of infected systems little by little. The last statement the firm issued regarding the status of its recovery was on July 10, nearly two weeks after the initial infection. It acknowledged that while email and other tools central to client services had been brought safely back online, other major systems were still being restored. There's been no indication from the firm since whether that status has changed.

It's likely DLA Piper will be able to recover at least some portion of their losses by filing an insurance claim. Larger firms like DLA Piper are increasingly purchasing specialty cyber insurance that can cover loss of income as well as mitigation and recovery costs from cyber attacks. There have been instances where such claims have been contentious, however, as was the case earlier this year when Rhode-Island-based law firm Moses Afonso Ryan sued its insurer for $700,000 in lost billings due to a ransomware infection that locked down the firm's files for three months.

What is less recoverable is the time lost to the attack — especially important considering the deadline-driven work firms are expected to conduct — and the any potential damage to the firm's reputation and brand.

What can other firms learn from the significant impact this attack had on DLA Piper, and what steps can they take to proactively prevent the next major attack from doing the same thing to them? Before we dive in with a few suggestions, let's take a quick look at how the attack and the firm's recovery efforts have unfolded.

Timeline of DLA Piper's infection and ongoing recovery

Tuesday, June 27 (day of the attack)

      • 5:48am: Reports of a major cyber attack first reported targeting companies primarily in Ukraine.
      • 6am: DLA Piper’s Madrid office experiences signs of infection and is immediately locked down.
      • 7:37am: DLA Piper’s phone lines are reported down.
      • 7:55am: The firm’s web portal, used to access sensitive documents, is reported down, as well.
      • Tuesday morning: Firm employees are instructed via text message alert system not to start their computers or connect to the DLA network.
      • 9:36am: Firm issues a statement confirming suspicious activity was detected on its network that appears to be related to Petya outbreak, says IT team acted quickly to prevent the spread.
      • 10am: Photo of a whiteboard outside the firm’s D.C. office alerting DLA employees the network is down and not to turn on computers is posted on Twitter.
      • Tuesday afternoon: Firm employees are instructed via text to continue to work as much as possible with limited firm technology and to leave the office at 3pm with permission.

Wednesday, June 28 (+1 day following attack)

      • 6:42am: Firm issues second statement announcing it is working closely with leading external forensic experts and relevant authorities, including the FBI.
      • Wednesday morning: Firm employees notified via text alert system that offices are open, phones are operational, and email should be back up and running within hours.
      • Wednesday evening: Firm employees notified via text progress has been slower than expected, and document management and email systems are expected to be functioning by Thursday morning.

Monday, July 3 (+6 days following attack)

      • 1am: Six days following the attack,the firm announces email has been restored, but other systems are still in the process of being brought back online. It also confirms no evidence suggests client data had been exfiltrated or compromised, though investigation is still ongoing.

Thursday, July 6 (+9 days following attack)

      • Thursday morning: Sources briefed on the firm's recovery indicate that while email has been restored, the firm has yet to regain complete access to emails sent or received before the attack, and that some staff are still unable to access documents directly.
      • Thursday afternoon: The firm issues another statement acknowledging bringing all systems back online may take time, but that offices are open and the firm is advising clients. 

Monday, July 10 (+13 days following attack)

      • 4:35am: Firm issues another statement thanking clients and partners for their patience and acknowledging that while email and other tools central to client services are safely back online, other major systems are still being restored.

3 lessons law firms can learn from DLA Piper's nightmare

DLA Piper wasn't the first firm to suffer a catastrophic cyber attack, and it unfortunately won't be the last. With their access to and dependency on sensitive, high-value data, firms aren't going to stop being popular and vulnerable hacking targets any time soon. But as one of the most high-profile and hardest-hit victims of this major malware outbreak, it's likely DLA Piper will be the cautionary tale in law firm IT circles for quite some time. 

With that being the case, what lessons can other firms learn?

1) With ransomware, detection often comes too late

According to one of the firm's statements, its IT team was able to act quickly to prevent the spread of Petya thanks to an alert from its "advanced warning system" that suspicious activity had been detected on the network. While that alert was certainly helpful in notifying them there was a problem so they could stem the bleeding, unfortunately by that point significant damage had already been done. 

Today's malware infections move incredibly quickly, and if the purpose of an infection is to render files and systems inaccessible, being alerted that you're locked out after the fact is not ideal security. 

The first crucial takeaway from DLA Piper's infection is an important reminder of the value of actively investing in attack prevention (not just detection and response). 

2) Everyone has a plan until you get punched in the face

As if suffering through weeks of downtime and disruption thanks to a worldwide ransomware attack wasn't enough, adding insult to injury was the fact that DLA Piper had just published a blog post specifically instructing companies on how to avoid falling victim to the next worldwide ransomware attack. 

The post, outlining "9 things you should know to protect your company from the next attack" shares some very sensible advice on improving an organization's security posture in a very systematic and long-term way, but there's a very big difference between this...

Implementation: Obtain advice on cybergovernance structure and reporting to C-suite and the board, rectification of RAG report deficiencies based on instructions, develop IT use protocols, cyber policies and procedures, personnel policies and level policies, maintenance of cyber systems and implementation monitoring, update contract methodology around cyber risk transfer and mitigation including vendor template agreements and vendor risk review process, establish business continuity and disaster recovery plans.

...and actually reacting to a sudden ransomware crisis in the moment.

Another key takeaway from this incident is that even for extremely practiced firms and organizations (DLA Piper asserts it has assisted numerous companies in responding to and recovering from cyber attacks), mitigation can take time and be one heck of a bumpy ride. Not only do organizations need a plan, they need to be prepared to adjust and react when things don't according to that plan. 

3) No firm is immune

Perhaps the most important (and troubling) lesson from this attack comes from Larry Ponemon, chairman and founder of the Ponemon Institute, a research think tank specializing in data protection. According to Corporate Counsel, Ponemon has worked with DLA Piper as a consultant and considers its data privacy and security measures to be "very good."

"From my experience, [DLA Piper] is an excellent firm with reasonable due diligence procedures. This tells me...this could happen to anyone."

— Larry Ponemon

Indeed, if a giant global law firm with revenue of roughly $2.5B in 2016 couldn't protect itself against this type of attack, what hope do other firms have?

What firms can actually do now to protect themselves from the next attack

There's no lack of steps firms can take to better protect themselves against a variety of potential security incidents and attacks. DLA Piper's blog post lists nine — from conducting gap analysis to providing security training. 

But while these are good longterm fixes, they don't really address the immediate issue — both Petya and WannaCry were able to expoit some very specific vulnerabilities. To prevent any follow-up attacks also exploiting those vulnerabilities from being successful, firms should do the following five things: 

1) Secure SMB and RDP

Considering WannaCry and Petya both used an exploit (EternalBlue) that targets a vulnerability in Server Message Block (SMB), investigating whether any machines have port 445 (the port associated with SMB) open and exposed to the Internet should be a top priority.

While they're at it, firms should also do the same thing for port 3389 (the port associated with Remote Desktop Protocol (RDP). We've seen a significant spike in ransomware infections via RDP this year, with attackers scanning for open ports and attempting to brute force their way past weak or default passwords to gain execution

Using a port scanning tool like Nmap can help you find all the open ports on your network. Keep in mind, attackers have access to these types of tools, as well. Here’s a tutorial from DigitalOcean that walks you through how to test your firewall configuration and see what your network looks like to an attacker.

2) Patch the machines you can, identify and isolate the ones you can't

It's easy to say all machines in your organization should be fully patched and up-to-date, but the reality is deploying patches across enterprise environments can pose significant logistical challenges. There may be machines that you simply can't apply updates to for a variety of reasons. If possible, segment these machines and reduce your risk by limiting what they have access to. 

To find out whether any of your outdated machines are vulnerable to EternalBlue you can use the free scanning tool Eternal Blues.

3) Protect endpoints with more than just AV

As we consider the number of victims infected by these recent malware outbreaks, and the widespread damage they have caused, it's clear that organizations don't just need to do more in terms of security, they need to do "different." 

That means supplementing standard antivirus solutions with newer forms of protection designed to block even never-seen-before malware based on its behavior. To find how Barkly is keeping companies one step ahead of the latest attacks, learn more about how our endpoint protection works.

4) Make sure you're practicing a 3-2-1 backup strategy

3-2-1 backup is a best practice that requires you to have three copies of your data in two different locations, one of which is offsite (ex: in the cloud). Making your backup 3-2-1 compliant ensures that even if one copy of your backup is encrypted or destroyed by ransomware you’ll still have at least one off-site copy that can’t be touched.

Just keep in mind recovering from backup should be considered more of a last resort/safety net rather than a silver bullet. Less than half of organizations hit with ransomware report being able to recover all the data that was encrypted with backup.

5) Work down the list provided by DLA Piper

Once you've addressed the four things above, then it's a good idea to step back and invest in the big picture considerations and activities discussed in the firm's blog post 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks.svg

The True Cost of Ransomware

5 Companies, 5 Attacks, and the Reality of Recovery.

Get my eBook

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.