Full Report
On November 22, Law in Order fell victim to a NetWalker ransomware attack. The attackers threaten to publish the breached data if the ransom isn't paid.
Analysis Summary
# Incident Report: NetWalker Ransomware Attack on Law in Order
## Executive Summary
On November 22, 2020, Law in Order, an Australian document and digital service provider for law firms, suffered a significant security incident involving NetWalker ransomware. The attackers encrypted compromised data and threatened public release unless a ransom was paid within seven days, leading to an immediate, precautionary halt of most business operations. The organization immediately engaged cybersecurity experts to investigate and begin remediation.
## Incident Details
- Discovery Date: November 22, 2020
- Incident Date: November 22, 2020 (Server breach occurred)
- Affected Organization: Law in Order
- Sector: Legal Services / Document & Digital Solutions
- Geography: Australia
## Timeline of Events
### Initial Access
- Date/Time: November 22, 2020 (Date of breach confirmation)
- Vector: Not explicitly detailed in the source, but involved the deployment of NetWalker ransomware.
- Details: Attackers breached Law in Order's servers.
### Lateral Movement
- Details: Not explicitly detailed in the source, but the encryption of data implied successful internal reconnaissance and deployment across networked systems.
### Data Exfiltration/Impact
- Date/Time: Following the breach.
- Details: Attackers encrypted compromised data, holding it hostage. Attackers later published "possible proof of the ransomed data online," suggesting data exfiltration occurred, contradicting initial internal assessment on November 23rd.
### Detection & Response
- Date/Time: November 22, 2020 (Immediate)
- Details: Law in Order confirmed the breach and immediately implemented counter measures, significantly limiting network access to prevent further compromise, which consequentially halted much of their business operations.
- Response Actions: Engaged expert cybersecurity investigators and advisers.
## Attack Methodology
- Initial Access: Unknown/Not specified (Infection vector leading to ransomware deployment).
- Persistence: Implied by the ability to deploy encryption across systems.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, though the successful deployment indicates evasion of existing controls.
- Credential Access: Not specified.
- Discovery: Not specified.
- Lateral Movement: Implied, as systems were encrypted.
- Collection: Data was exfiltrated as the attackers later published proof of ransomed data.
- Exfiltration: Data theft occurred, confirmed by attackers potentially publishing proof online.
- Impact: Data encryption via NetWalker ransomware coupled with double extortion (threat to publish data).
## Impact Assessment
- Financial: Not disclosed, but involved potential ransom payment costs and business disruption costs.
- Data Breach: Data was encrypted; exfiltration occurred (though extent unconfirmed by the company initially). The impact was severe enough to halt most business operations.
- Operational: Business operations were significantly halted as a precautionary measure ("halted much of our business operations").
- Reputational: A public security incident was confirmed by Law in Order via an official statement.
## Indicators of Compromise
- Network indicators: None provided (Defanged).
- File indicators: NetWalker Ransom note (notepad document).
- Behavioral indicators: Deployment of NetWalker ransomware payload resulting in mass file encryption.
## Response Actions
- Containment measures: Immediate precautionary limitation of access to much of its network.
- Eradication steps: Engaged expert cybersecurity investigators and advisers to work on remediation.
- Recovery actions: Prioritized restoring systems back online safely and methodically.
## Lessons Learned
- The adoption of Ransomware-as-a-Service (RaaS) models, like NetWalker, increases the threat landscape for organizations.
- Incidents resulting in double extortion (encryption + data theft threat) require robust data governance and exfiltration monitoring.
- Immediate, proactive steps to halt operations can prevent further network spread but result in significant business disruption.
## Recommendations
- Strengthen network segmentation to limit lateral movement capabilities of ransomware strains like NetWalker.
- Enhance endpoint detection and response (EDR) capabilities to rapidly identify and isolate initial intrusion and ransomware execution behaviors.
- Review and test data backup and restore procedures, ensuring backups are isolated from the main production network to facilitate rapid recovery without paying ransom.