Last night Artificial Lawyer shared the news that Epiq, the legal data and services company, was experiencing a ransomware attack – which the company is still fighting against and is now being investigated by US Federal law enforcement.
This site asked Canada-based threat analyst, Brett Callow, at security company Emsisoft, who has written extensively about attacks on the legal sector before, what he thought this attack meant.
Callow’s first point was that he believes it’s too early to be certain that client data hasn’t been compromised.
A source close to Epiq told this site that ‘no client data had been accessed’, while an official statement added that: ‘There is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.’
From Callow’s perspective saying this with absolute certainty so soon after the initial attack may not be possible.
‘Ransomware incidents should be regarded as data breaches from the get-go. Waiting for several weeks until a forensic analysis is complete gives the criminals too much time to work with any data that was exfiltrated,’ he said.
He explained to Artificial Lawyer that the situation can sometimes be like ‘someone walking into a burglarised home and saying: ‘I don’t think anything has been taken’.’
‘Working out what did or did not happen during a ransomware incident requires a full forensic investigation that can take several weeks,’ he added.
He then gave examples of cases where businesses had hoped nothing had been taken, only to find out later some data had surfaced outside of the company.
‘Multiple ransomware groups do now steal data and use the threat of its release as additional leverage to extort payment. If the victim doesn’t pay, the data gets posted online where it can be accessed by anybody with an internet connection. This has happened to multiple law firms and other companies,’ he added.
Of course, and going back to Epiq’s formal statement, they don’t see any loss of data, and so – hopefully – they’ll be able to avoid this scenario.
But, more broadly, what kind of numbers are we looking at here? How much is Epiq being asked to pay? How long will the saga last?
Data collected by Emsisoft up to 2019 showed that:
- The average ransom demand is $84,000. But, recent evidence suggests that this amount may have increased significantly.
- 33% of companies pay the ransom demand.
- Ransomware incidents result in an average of 16 days downtime.
Let’s unpack that.
Epiq is a large company, with several thousand employees and bases around the world. A demand for $84,000, or any figure close to that, would clearly not be an issue. The question is whether the group behind the attack is asking for far more than this, to the point that it became a financial issue.
At present we do not know. A source close to the company told this site that Epiq was unlikely to say what the exact ransom demand was.
Also, we don’t know how far into the system the ransomware managed to get. If no data has been compromised and this is more about an operational front-end problem, it could be a matter of Epiq simply sorting out a new means of getting operational again and perhaps having no intention at all of paying anything. We don’t know yet.
The FBI, which is likely one of the Federal agencies helping Epiq, is understood not to support paying ransomware demands.
In terms of the amount of time off-line, this is another open-ended question. The Epiq site went down on Saturday, February 29. Today is Tuesday, March 3 – so that will already be four days by this evening.
At present, Epiq’s main site is just showing this image:
According to Callow – and there is no way of predicting exactly what will happen in this case – the average downtime is 16 days.
Clearly no business wants to stop operating for that long. Epiq could be back up and running as usual by the end of today, and we all hope it will. But, equally, it could be looking at a lot longer.
The legal market is one based on urgency and deadlines. Beyond all the other challenges right now for the company, this is therefore a major challenge in terms of client reactions – beyond the natural fears they may have regarding their data.
Also, for now, we don’t know exactly what areas of Epiq are affected. The company has many business units doing a wide variety of things, from ediscovery, to managed legal services, to paying out disbursements to people involved in class actions, to handling bankruptcy issues, to court reporting.
Some of these areas are more data sensitive than others. Some also can live with an operational delay more than others as well.
Ultimately, it’s a terrible thing to happen to any company and Artificial Lawyer has huge sympathy for any business this happens to. Hopefully this will get sorted out soon enough, but either way it underlines the importance of data security.
One last thing we also don’t know yet is how the ransomware arrived. While it could have been a super-sophisticated attack, it could also have been something as mundane as someone clicking on an email link that they shouldn’t have. And, as is often said by experts around the world, human error tends to be the biggest threat when it comes to data security. Which also means that any business, large or small, can face challenges like this.
I agree that it’s impossible and inappropriate for the company to state – at this stage – that they are certain no customer data was compromised. More so, given the number of law firms who use their services, odds are pretty good that, if data was compromised, it will trigger all sorts of reporting obligations for those firms.