As we near the end of Cybersecurity Awareness Month, TrialWorks, one of the top-rated providers of legal case management software for law firms and attorneys, became the victim of a ransomware attack in mid-October.
JDL Group learned of the ripples of disruption from this incident when we heard an outcry from the legal community. The attack made it impossible for lawyers to access the legal documents hosted on TrialWorks’ platform.
Sharing Recovery Progress with Customers
Initially, TrialWorks notified its customers of a hosting outage at their data center. This happened on October 13 and the message continued saying that the issue was being dealt with, and updates on the situation would follow.
An email the next day provided more details about the incident naming ransomware as the cause of the outage.
“Thank you for your continued patience as we have worked tirelessly to restore access to your data following the ransomware incident TrialWorks experienced,” the message read.
To remedy the outage, TrialWorks told customers that they were “partnering with multiple top cyber security firms”, and a subsequent email informed that two cybersecurity companies were helping in the investigative and systems restoration efforts. For the duration of the process, though, customers could not access their records.
After securing the systems, they would be gradually brought back online, with limited customer access until the procedure finishes.
It is important to note that TrialWorks did not communicate the ransomware incident publicly but informed customers via email of the situation and how they dealt with it.
On October 15, two days after the ransomware hit, TrialWorks announced that the systems had been disinfected and team members were “actively decrypting and restoring data,” suggesting that the company paid the ransom.
The ransomware family responsible for the incident remains unknown for the time being. However, the attack resembles one in late August when another category of professionals – dentists – could no longer access patients’ medical records they stored on Digital Dental Records (DDS) backup platform because they were encrypted.
The culprit for that particular attack was REvil/Sodinokibi, a highly profitable ransomware that follows in the footsteps of the infamous GandCrab.
This piece of ransomware is currently distributed affiliates that are carefully selected for their experience with malware distribution and technical skills. Targets are typically enterprises, managed software providers (MSPs), and government entities. In short, victims that can pay a ransom.
Attorneys Asking for Extensions
Some law firms were forced to request courts to extend the deadline for filing documents supporting their cases. At least two such firms were put in this situation.
A managing partner at Whittel & Melton in Spring Hill, FL stated that one of the firm’s attorneys was forced to request an extension for filing a response in a federal case, citing TrialWorks’ outage that blocked access to critical documents in the case.
Another instance was an attorney at a law firm in Woodland Hills, California, who also had to request an extension in a different case, because they received no assurance from TrialWorks that access to their case work documents would be restored before the deadline for a filing date expired.
“At this time, we do not expect that our hosting environment will be fully operational tomorrow. We will communicate via email as milestones are completed,” reads an email the lawyer received two days before the deadline expired.
TrialWorks sent daily reports to customers, informing them of the current remediation state. Some customers reported returning to operations on October 17. Others, however, waited until October 22 to get access to their files.
The reason for this delay is that it takes time to recover from a ransomware attack, even when the ransom is paid and a decryption key is available, with the number of files being restored playing a significant role in the operation.
In an email to a customer, Patrice Gimenez, TrialWorks Chief Customer Advocate said that the company learned its lesson and is “committed to expend all the resources” necessary to address the current problem and prevent its recurrence:
“We are not the first, nor will we be the last organization in our industry to be the target of one of these attacks. However, we have learned from this experience and are committed to expend all the resources required to both address this issue head-on and mitigate the chance of a recurrence.”
For more information on a free dark web scan and how to protect your law firm, contact the JDL team at 973-607-2140.