Last week, it was announced that eminent entertainment law firm Grubman, Shire, Meiselas and Sacks (Grubman) was the victim of a significant cyberattack. Current reports suggest that in addition to encrypting the firm's data, so that the firm cannot gain access to its own files, the perpetrators made away with a massive amount of privileged data, including contracts, nondisclosure agreements, phone numbers, email addresses, and private correspondence of the firm's clients. The attack has garnered international attention for the high-profile individuals potentially affected and the large public ransom demand, which stands at $42,000,000 as of this writing.
The attack involved the use of well-known ransomware (called REvil/Sodinokibi), which has been used in a number of other high-profile cyberattacks, such as the one on foreign exchange firm Travelex. The identities of the attackers are not publicly known, but the track record of REvil's operators suggests they are sophisticated and experienced. The perpetrators have released a handful of documents to prove the validity of their claims, and sources suggest that they will publish the data in installments if their demands are not met.
Is This Out of the Ordinary?
While the attack against Grubman is notable for its publicity and the amount and public nature of the ransom demand, ransomware attacks have been growing. The cybersecurity company Symantec noted an increasing trend of enterprise-focused ransomware in 2018. Furthermore, prominent cyber threat intelligence firm Crowdstrike estimated that enterprise-scale ransomware operations were the most lucrative form of electronic crime in 2019. While there is no methodology for accurately capturing its costs, various organizations estimate a yearly cost of around $7.5bn in direct payments and around $170bn when including indirect costs, such as lost productivity.
Unfortunately, there is no guarantee that paying ransomware will unlock and restore impacted services or that the criminals would not just come back to try to collect again in the future. Worryingly, ransomware attacks are adapting to the gradual increase in cybersecurity awareness and maturity within the private sector. This evolution is demonstrated in the attack against Grubman, where the perpetrators not only encrypted Grubman's data, but also purposely made off with large amounts of it. This "stolen" data creates additional leverage for the ransom demand by threatening to publicly release sensitive data, while also providing the attackers with the option to sell the stolen data on the dark web if the victim opts to refuse payment and restore from back-ups. For this reason, and the fact that payment may incentivize ransomware behavior, the Federal Bureau of Investigation does not support the payment of cyber attackers who use ransomware.
While ransomware can be found in every industry sector, those industries that can least afford disruptions to services, reputational damage, or loss of client trust are ideal targets that are most likely to pay and pay quickly. Vexingly, and somewhat paradoxically, there is some evidence to suggest that the public knowledge that an organization possesses cybersecurity insurance increases the likelihood of its being targeted.
It is also important to note that ransomware is only one subset of the cyber threats that exist. Organizations of all sizes and industries are vulnerable to attempted malicious cyber activity, by inexperienced actors with entry-level tools and state-sponsored actors with limitless resources exploiting as-yet-unknown vulnerabilities. This is to say nothing of the large percentage of data breaches that stem from insider threats, such as possible disruptions by disgruntled employees.
How Did This Happen? What Should I Be Doing?
It may never be publicly disclosed how the Grubman breach occurred. However, it is dangerous to write off what happened as an inevitable event. Most data breaches are not the result of state- sponsored intelligence agencies using state-of-the-art tools and techniques. Most data breaches are a result of far simpler and more avoidable mistakes. Admittedly, no network can be made completely unbreachable, but data can be hardened against ransomware. The key is to assess your cyber risks and make sure that you are on the path to protecting your most valuable assets and your reputation.
While it is important for all organizations to take cyber threats seriously, it is an absolute imperative for organizations that deal with privileged or regulated data, or that cannot afford to have their services disrupted, their reputation damaged, or the trust of their clients breached.
For more information on how you can mitigate cyber risk or about this article, please contact the authors.
Venable's Cybersecurity Group is led by Ari Schwartz, a former member of the White House National Security Council, where he served as special assistant to the president and senior director for cybersecurity. Ari is joined by co-author John Banghart and other cybersecurity professionals with decades of industry and government experience. They work in tandem with attorneys across Venable to provide comprehensive cybersecurity services to companies and high-profile individuals, including assessing digital footprints for cybersecurity threats, securing the safety of client data, aiding in the creation of security policies and procedures, and providing exercises and training to test security preparedness.