What we can learn from the Grubman ransomware attack

Overview

In May this year, the US entertainment law firm Grubman, Shire, Meiselas & Sacks (Grubman) was a target of a ransomware attack, causing an estimated loss of over US $42,000,000. The data stolen included a variety of personal data and information including contracts, non-disclosure agreements and private correspondence from their high-profile celebrity clients. 

What is ransomware?

Ransomware is malicious software designed to block access to data or a computer system until a sum of money is paid or other conditions are met. Ransomware is a cyber threat to organisations of all sizes and can be distributed through:

  • Visiting unsafe or suspicious websites;
  • Opening emails or files; and
  • Clicking on ‘malicious links’ in social media and peer-to-peer networks.

Grubman’s attack involved sophisticated perpetrators using well-known ransomware called REvil to encrypt their sensitive data and steal large amounts of it as leverage.

What happens if I am a target of ransomware?

The first thing you should do is activate your data breach or incident response plan.

It is generally NOT recommended that you pay the ransom, because there is no guarantee that the perpetrators will restore or decrypt affected files and may make you more vulnerable to further attacks. Seek professional advice from cybersecurity experts.

Ransomware in Australia

Grubman’s ransomware attack is notable for its large-scale impact and the firm’s high-profile clients. However, all firms are also at risk of ransomware attacks.

Most SMEs are not likely to be targeted by highly sophisticated actors, but once vulnerabilities are disclosed, they become easily accessible to less sophisticated threat actors such as criminal groups. These groups can buy exploit kits that allow them to easily deploy this kind of malware.

Importantly, once a cyber vulnerability is disclosed there is usually a patch released by the software vendor. However, it is usually up to system administrators or IT service providers to ensure the patch is installed. Businesses should ensure that their IT providers are regularly installing all updates  

In its most recent Notifiable Data Breaches Report, the OAIC reported malicious or criminal attacks from July to December 2019 accounted for 64% of all data breaches during this period. Ransomware represented 6% of these incidents – primarily targeting healthcare and professional services sectors. 

The Australian Cyber Security Centre (ACSC) reported that the COVID-19 pandemic poses additional risks to the healthcare sector that is being actively targeted by highly sophisticated groups. The sector is a lucrative target due to the high value of information in vaccine development and research about outbreaks, potentially disrupt essential services and business-critical systems through attacking sensitive personal and medical data.

Recommendations to prevent Ransomware attacks

Although no network can be completely protected from ransomware attacks, there are simple preventative measures that organizations can take to ensure that they are less vulnerable targets and can avoid the harmful effects of cybercrime experienced by Grubman. The steps recommended by the ACSC include to:

  • Install and regularly update antivirus software.
  • Keep your operating system and software up to date with the latest versions; this should be done automatically where possible.
  • Minimise visits to unknown websites and avoid being enticed by clickbait.
  • Look for the padlock symbol and 'https' in the browser address bar when surfing the net.
  • Install a firewall to stop traffic from untrustworthy sources getting onto your device.
  • Back up your computers and phones regularly, and choose automatic back-ups where possible. Keep back-ups separate from your computer, on separate devices or use a cloud service.
  • Disable macros in Microsoft Office.
  • Have an incident response plan ready to dramatically reduce the damage inflicted, ensure a quick recovery and safeguard against future incidents.
  • Adopt multiple layers of defence against malware; no single mitigation will protect you. You can develop multiple strategies that will improve your resilience and detect malware without disrupting the day-to-day running of your organisation.

For more on strategies to ensure that your organisation is cyber secure, we recommend that you read the Essential Eight, a baseline policy created by the ACSC that is a cost-effective way to mitigate cyber security incidents: https://www.cyber.gov.au/publications/essential-eight-explained

For advice on how to minimise your potential liability from a data breach, including preparing a data breach response plan, contact our privacy and data security specialist Sam Hartridge here.