6 March 2020 (Sliema, Malta) – This past week the e-discovery world was (slightly) agog on news Epiq Global, one of the world’s largest legal services providers, identified a ransomware attack that forced the company to take its global systems offline. Ryuk Ransomware was deployed on Epiq’s systems which began encrypting devices on their network. Legal reporter Bob Ambrogi was the first to break the news.
NOTE: to date, there is no evidence that any unauthorized data transfer, misuse or exfiltration took place during the ransomware attack, according to Epiq.
The Epiq ransomware attack was discovered 29 February. Epiq detected unauthorized activity on its systems and later confirmed it was a ransomware attack, the company said. Epiq has been working to bring its affected systems back online and has launched an investigation into the ransomware attack. In addition, Epiq’s technical team is working with third-party experts to address the incident.
NOTE: Epiq provides legal services to law firms, corporations, financial institutions and government agencies. The company has more than 80 offices and 5,500 employees worldwide. The company is also one of the largest clients of a company I used to own, The Posse List, which among other things runs a job listserv for the information technology/informatics/legal services/legal technology industry. Epiq is the second largest job poster to those lists for e-discovery document review teams plus other legal technology support positions. It has a large footprint in the industry.
There is a lot of background information on the Epiq attack. For some basic pieces of the puzzle here are a few links:
• Rob Robinson’s summary which can be found here
• A report from Techcrunch which you can access here
• A report from Bleeping Computer which sheds light on how Epiq Global became infected. Their story is here.
• A compelling discussion started by Martin Nikel on Linkedin which includes just about everybody in the e-discovery biz. You can access the link here.
This past January, CrowdStrike gave a presentation on Ryuk ransomwear at the International Cyber Security Forum in Lille, France. Ryuk is a family of ransomware run (primarily) by a Russia-based criminal group. It is used to attack enterprise environments, meaning the vast array of technological devices in a corporate infrastructure. So if backup procedures in the corporate environment make custodian data available on devices other than an individual computer, such as on network servers or backup tapes or mobile devices, everything can be accessed. From the CrowdStrike presentation:
“In the world of malware, Ryuk ransomware has gone from rookie to pro at a disturbing speed. Ryuk has achieved this status not on its capabilities, but the uncanny way it infects systems. Ryuk, has a unique style of attack. It targets large entities by customizing the attack based on the victim, ensuring a high ROI in the process. Ryuk ransomware attackers is used to target large enterprises with extended, connected systems. It is also an effective ‘sleeper’ ransomware, laying dormant on infected systems.”
CrowdStrike made a similar presentation last year and if you want to really take a deep dive into the technical side of Ryuk cyber attacks click here.
There are a lot of general points you can make about the attack on Epiq. But as Martin Nikel has noted:
This situation is taxing physically and mentally on front-line professionals and management alike. Instead of taking pot-shots at Epiq, and joining the ‘I told you so’ brigade, I’d just like to spare a thought for all those involved having to deal with the immense pressure. In what is an already time-critical and stressful line of work, there will no doubt be people having to absorb the pressure. I wish them all the very best in dealing with and resolving the situation.
I have been scanning social media posts, listening to members of the e-discovery community and cyber security community, listening to Epiq insiders who may/may not bear a grudge and/or who want to get the word out, so just a few thoughts:
• From what I am told by Epiq insiders and a few cyber experts who had chats with Epiq IT people off-the-record, Epiq seems to have played cyber defense by the book from hour zero. It followed their established procedures to the letter. There is a lot of negative press (“Nothing is up to date and that is why it was so easy to attack us” one Epiq person told me). Is it a dissatisfied employee, happy to put the boot in? Some e-discovery vendors saw an opportunity to try and make something out of it to their advantage. So despite Martin’s admonition, negativity abounds.
• One thing is clear: Epiq will need to save some money to pay for this event for the cleanup plus the inevitable lawsuits. It will need to perform a clean security sweep. If an outside attacker took control of their entire server defense you can rest assured that security and password information may have been compromised. And Epiq isn’t going to make ironclad statements about exfiltration or compromised security or passwords. With 80 offices, extensive systems from dozens of acquisitions, legacy software and thousands of users and employees it will take months of forensic analysis to make any conclusive and determinative statements.
• No vendor should be gloating over this episode. Everybody is vulnerable. And this is hardly new. As all of us in this industry know, several other vendors have been attacked in recent years but had “cover” because they are small players and disclosure was at a minimum, or zero. These cyber attack stories will continue because this is the data business they are all in. Gulam Zade, CEO at LogicForce, stressed that while e-discovery vendors may appeal to bad actors for many of the same reasons that law firms do — access to sensitive information and a duty to preserve client data — ransomware has always, and will likely continue to be, industry agnostic. This is not going away.
• And for the e-discovery industry, it is also a marketing issue. At its core, the essential business model and value proposition for Epiq and every major player is “We are a 600lb gorilla in the marketplace with unmatchable resources and expertise to mitigate your risk and exposure through high stakes legal battles”. You don’t pay for that and expect the windows to be left open.
• And for the e-discovery industry, it is a bigger cost issue. Yes, read the industry reports and the e-discovery industry is described as a “multi-billion dollar business”. Lots of money for the latest state-of-the-art information review/governance technology – but seemingly short on the critical infrastructure expenditure. But as I have said before, the e-discovery industry talks champagne tastes but is on a beer pocket book. It cannot even afford to have “the largest and most important legal technology event of the year” … Legalweek, Legaltech, Legalweak, whatever … in a proper conference centre. It’s crammed into hotel ballrooms that later in the year will host the “beads, baskets, and baubles” show, and the baseball card auction show. Where the real important activity is (forced) to happen outside of the main event in scores of hotel suites. And this industry has money for proper cyber security?
• And there is the dark side. As Harry DeBari (who has extensively examined this industry in detail) has noted:
I think we also need to look at the broader picture. Epiq’s model of acquisition integration, particularly its purchase of DTI, is based on retaining old, legacy systems to milk revenue from hosting legacy data. This problem isn’t a by-product of spending decisions – it’s an essential part of their corporate DNA and business plan.
If true, this “DNA” is hardly exclusive to Epiq. There are scores of stories about vendors in this space who have skipped or skimped on infrastructure assimilation in their acquisitions.
Further complicating the aftermath of any cyberattack, as noted by scores of cyber analysts, is the possibility that investigators aren’t just checking for ransomware, but signs of data exfiltration or other harmful programs. Just because ransomware is part of the attack doesn’t mean it’s all of the attack. A tech-dependent e-discovery vendor such as Epiq likely maintains very expansive systems which equates to a lot of ground to cover during an investigation. But perhaps the most obvious factor influencing the duration of a ransomware investigation is whether or not companies choose to pay the ransom.
But while those concerns may not be the exclusive domain of the e-discovery industry, there’s still a good chance that the attack on Epiq will cause other vendors to sit up and take notice. And they have. My old Posse List mates have reported calls from the staff of other vendors who are all of a sudden ramping up cyber security efforts that had been left in the “to be done” basket.
And the Ryuk ransomware family used for this attack is developing further, with newer strains not only encrypting data, but also exfiltrating it first. It remains to be seen if the Epiq attackers got their hands on any critical data.
Lots of my work and research comes from my trips to Ukraine, courtesy of a long-time cyber security vendor client. It is part of my background research on a long piece I am writing on Russia’s “information warfare” campaigns and it affords me the opportunity to meet and speak with experts on the front lines of cyber attack campaign, both commercial and political. Because whatever you might think of Russia’s recent antics on the world stage, you have to concede: they have brilliantly exploited information-age tools to confuse audiences about what is truth, what isn’t, and to set their own narrative. The returns have been massive, and out of all proportion to the modest investment required.
I’ll have a more detailed post later this year on the Russian bear. For this post, just a few short bullet points for the corporate world on another area in which I have written about: how cyber tools have become more ubiquitous. A few brief points from my cyber brief which went out to my cyber list earlier today:
• Cyber criminals are catching up to nation-states’ hacking capabilities, and it’s making attribution more difficult. They’re not five years behind nation-states anymore, because the tools have become more ubiquitous.
• One of the things cyber analysts are seeing is that more cyber criminals are getting “corporate”: on the business-model side they are starting to use innovative processes like franchises, and affiliate groups, where a cybercriminal will develop technology and make it available to other cybercriminals. Franchising the malware means that criminals can concentrate on improving in other areas.
• What the cybercrime affiliates do is focus on identifying, for instance, phishing lists, or other ways to break into networks … and then actually launch ransomware or other malware. They do not need to build effective tools from scratch. They have that through the franchise. They can put all of their investment into executing their attack.
• That also means any improvement in cybercrime technology makes attribution harder. The tools look more like those of nation-states. And given Russia outsources lots of its cyber attack work to criminal cyber gangs, from an attribution standpoint it’s very difficult to determine if an actor is working at the behest of a foreign government or if they’re doing criminal activity on their own time.
• And the issues multiply. Criminals still behave differently in certain cases. If you’re a nation-state, you’re likely trying to achieve one very specific goal and will use whatever mechanism is required in order to do that. So in some ways it often requires less sophistication. On the flip side, cyber-criminals can come up with very sophisticated capabilities given that they have the luxury in most cases of a virtually unlimited victim pool and the luxury of time.
• Worse, easy access to data and technologies via open-source is not only leveling the intelligence playing field at the expense of the U.S. intelligence community. Non-state actors can now collect intelligence worldwide at little cost. Anyone with an Internet connection can see images on Google Maps, track events on Twitter, and mine the Web with facial recognition software, pulling all manner of personally identifying information off the Dark Web, etc.
• Moreover, commercial satellites now offer low-cost eyes in the sky for anyone who wants them. Inexpensive satellites roughly the size of a shoebox offer imagery and analysis to paying customers worldwide. Although no match for U.S. government capabilities, these satellites are getting better day by day.
• All of this means cyber criminals are taking advantage of the combination of “social listening” and physical infrastructure analysis to plan attacks. It also explains why more than one in 10 data breaches now involve “physical actions” which is leveraging physical devices to aid an attack, and break into hardware and physical infrastructure.
There is a shrinking gap between physical and cyber infrastructures. And that means businesses should be combining both cyber- and physical security efforts. When your door lock, when your burglar alarm, when your fire suppression system is computerized, networked and on the internet, you have no choice but to integrate them. Integration is happening because computers are moving into a space that was only physical. And that opens up all sorts of hacking opportunities.
But many cyber security professionals say its a bit hopeless because they are still struggling to get companies to install simple cyber security defenses. I will close with a few words from the vendor who invites me on the Ukraine trips, its thoughts on “why corporates don’t take cyber security seriously enough” :
(1) they envision cyber security as a kind of fortification process in which strong firewalls and astute watchmen will allow them to see threats from afar
(2) they assume that complying with a security framework like NIST or FISMA is sufficient security; and
(3) they haven’t had a security breach recently, so they must be doing something right: what doesn’t seem broken doesn’t need to be fixed.
The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is. And with 5G coming down the road and its terrifying potential to exponentially raise the level of cyberattacks it will make current attacks look like paper cuts.