Normally when you hear a sentence mentioning both Lady Gaga and Donald Trump you’re looking at a setup for a joke.  Turns out it’s not funny at all for entertainment law firm Grubman Shire Meiselas & Sacks, who are looking at a $42 million ransom demand from cybercriminals after it was widely reported last week they suffered a massive data breach and subsequent threat to publish privileged documents pertaining to their most high-profile clients, notably Lady Gaga and the POTUS himself.  

So far it seems that the attack was carried out using the REvil / Sodinokibi ransomware first identified a little more than a year ago.  While it hasn’t been revealed exactly how the malware go into Grubman Shire Meiselas & Sacks’s systems, REvil can typically be delivered through malicious spam and phishing campaigns, attacks against Microsoft’s remote desktop protocol (RDP), and even unpatched Oracle Weblogic server applications. 

Like most ransomware variants, once inside the victim’s network REvil starts encrypting whatever files it can get access to, rendering them effectively unusable unless the victim pays the ransom and in return receives the decryption key from the attacker.  It also automatically deletes Shadow Copy checkpoints – a Windows feature that ‘snapshots’ files and allows an administrator to easily roll back to an earlier, undamaged version of the file. 

Far more alarming is that the cyber gang behind the attack claim to have 756 gigabytes worth of privileged client data stolen from the New York based law firm; and they have published samples of this data as proof.  If this is true, the impact of this attack goes way beyond ransomware.  756 Gigabytes is a big chunk of data, and short of one of the attackers walking out the front door with a portable hard drive’s worth of data (a bit of a metaphor, since it’s possible the data was held in a datacenter, or with a cloud provider), it would take time to copy and transfer that amount of data out over the internet connection.  This suggests the possibility the attackers were in the network undetected for a long time, pumping data out in a slow stream so as to not set off any alarms with IT.  This brings echoes of the infamous 2014 Sony hack, where the North Korean based attackers were believed to have spent anywhere from two months to over a year in Sony’s network stealing data.    

If the attackers’ claims true and they actually do have that amount of confidential data, good options will be few – the chances of catching them before they can cause harm are quite slim (the bad guys are obviously outside the U.S.), and even if the ransom is paid, what is to stop them from still selling the data, or keeping it for use at a later time?  Clearly the amount of exposure to liability brought on by this breach is catastrophic, even existential to Grubman Shire Meiselas & Sacks.  Law firms by their nature are held to a higher standard of care due to the highly sensitive matters they handle for their clients.  

The cybercriminals are currently claiming they will release damaging information on President Trump himself if the ransom, now doubled to $42 million, isn’t paid (this is disputed by Grubman Shire Meiselas & Sacks, who have never represented Mr. Trump).  The profile and frequency of cyberattacks are increasing dramatically as malicious actors are exploiting the chaos caused by COVID-19:  Last week both the Texas Supreme Court and the Texas Department of Transportation websites were brought down by ransomware attacks.   

It’s clear that along with all the IT challenges the global pandemic has brought about, information security must be crucially in the conversation.  As we’re seeing with Grubman Shire Meiselas & Sacks, this isn’t a technology problem, it’s a business survivability problem.  With businesses transitioning their workforces to a remote-first posture, hundreds of millions of employees are now working from home, and the corresponding attack opportunities for threat actors to exploit have just exploded.  A Forbes article published last week predicts the largest cyberattack in history will happen within the next six months due to the new nature of our workspace. 

Hexpistol’s mission is to help companies get the right IT tools in place to achieve their business goals.  That can’t happen without a serious conversation about information security – as we’re seeing a single breach can devastate a business, and impact the lives of not only their employees but every one of their customers as well.  It’s no longer enough just to have antivirus on every computer or a good firewall in the network closet – malicious actors attack on three fronts – hardware, software – and most importantly –  wetware (the human part of organization).  Our role is to protect your business along each of these lines – through network and endpoint protection, disaster recovery solutions, and security awareness training (SAT) for your teams.  To find out more, let’s talk.