Full Report
On November 22, Law in Order fell victim to a NetWalker ransomware attack. The attackers threaten to publish the breached data if the ransom isn't paid.
Analysis Summary
# Incident Report: NetWalker Ransomware Attack on Law in Order
## Executive Summary
Law in Order, an Australian document and digital service provider for law firms, suffered a ransomware attack on November 22, 2020, utilizing the NetWalker ransomware variant. The attack resulted in the encryption of compromised data, forcing the company to halt much of its business operations as a precautionary measure. Law in Order immediately engaged cybersecurity experts to investigate and remediate the situation, though proof of data exfiltration by the attackers was later published online.
## Incident Details
- **Discovery Date:** November 22, 2020 (Reported)
- **Incident Date:** November 22, 2020 (Sunday)
- **Affected Organization:** Law in Order
- **Sector:** Legal Industry (Document and digital service provider for law firms)
- **Geography:** Australia
## Timeline of Events
### Initial Access
- **Date/Time:** November 22, 2020
- **Vector:** Breach of a server, followed by deployment of NetWalker ransomware. (Specific initial access vector not detailed in the source).
- **Details:** Attackers encrypted compromised data and issued a ransom demand, threatening to disclose data if payment was not received within seven days.
### Lateral Movement
- **Details:** Not explicitly described, but the impact of encryption across "networked systems" suggests successful internal traversal.
### Data Exfiltration/Impact
- **Details:** Data was encrypted via ransomware. Initially, Law in Order stated they saw no evidence of data exfiltration, but the attackers later published possible proof of the ransomed data online.
### Detection & Response
- **How it was discovered:** The breach was discovered on Sunday, November 22, 2020.
- **Response actions taken:**
* Immediate counter-measures implemented to prevent further network compromise led to a temporary halt of much of their business operations.
* Engaged expert cybersecurity investigators and advisers.
* Began methodical investigation and remediation with the priority of safely restoring systems.
## Attack Methodology
- **Initial Access:** Server breach (Specific method unknown).
- **Persistence:** Ransomware deployment (NetWalker utilized).
- **Privilege Escalation:** Not detailed, but necessary for broad network encryption.
- **Defense Evasion:** Not detailed, but typical of ransomware operations.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied via encryption of "much of its network."
- **Collection:** Implied potential data gathering preceding or concurrent with encryption, as attackers later published evidence suggesting exfiltration.
- **Exfiltration:** Likely data exfiltration occurred, evidenced by subsequent online publication by threat actors.
- **Impact:** Data encryption (ransomware deployment) causing operational shutdown.
## Impact Assessment
- **Financial:** Ransom demand (amount not specified). Loss associated with operational standstill. Estimated A$43.6 million in Bitcoin transferred to NetWalker wallets between related incidents (March 1 and July 27, 2020).
- **Data Breach:** Potential compromise of documentation and digital assets belonging to Law in Order and its law firm customers. Initial statement suggested no customer network compromise.
- **Operational:** "Much of our business operations" were halted as a precaution to protect systems.
- **Reputational:** Public announcement of the incident required, impacting trust with legal clients.
## Indicators of Compromise
- **Network indicators - defanged:** *Not provided in the source.*
- **File indicators:** NetWalker ransomware executable/payloads. Ransom note delivered via Notepad document.
- **Behavioral indicators:** Encryption of networked systems; delivery of ransom note.
## Response Actions
- **Containment measures:** Immediate limiting of access to much of the network to stop spread.
- **Eradication steps:** Working with cybersecurity experts to remediate the incident (steps not specified).
- **Recovery actions:** Priority placed on restoring systems back online safely and quickly.
## Lessons Learned
- Reliance on document and digital service providers exposes legal firms to significant third-party risk.
- Immediate operational shutdown can be a necessary precaution during active ransomware events, despite the business impact.
- The initial assessment of no data exfiltration proved questionable when attackers publicized the data.
## Recommendations
- Enhance network segmentation to restrict the blast radius of potential ransomware events.
- Implement robust, offline backups to ensure rapid, secure recovery without engaging with threat actors.
- Validate data exfiltration protection mechanisms proactively, rather than relying solely on initial forensic findings, given the prevalence of double extortion tactics by ransomware groups like NetWalker.