February 25, 2020

February 24, 2020

Subscribe to Latest Legal News and Analysis

GozNym Malware Attack Hits Two Law Firms for Over $117K in Losses

Two law firms were among the latest victims of the GozNym malware attack that caused a combined loss of more than $117,000. Law enforcement authorities recently announced the dismantling of a cybercrime network that used this GozNym malware to attempt to steal an estimated $100 million from victims in the United States and around the world. GozNym malware was designed to steal personal and financial information from victims, sometimes starting with phishing emails to the affected companies.

According to a press release issued by the US Attorney’s Office for the Western District of Pennsylvania, an international law enforcement operation brought down the cybercrime network. An indictment names several victims; among them two law firms, a church in Texas, a furniture business in California, a casino in Mississippi, an association dedicated to providing recreation programs and other services to persons with disabilities in Illinois, a distributor of neurosurgical and medical equipment in Germany with a US subsidiary, an electrical safety device provider in Rhode Island, a contracting business in Michigan, a stud farm in Kentucky, a provider of cold pack shipping products in Pennsylvania, a bolt manufacturing company in Pennsylvania, and a Pennsylvania asphalt and paving business.

The two law firms were identified as a law firm in Washington D.C. and the other in Wellesley, Massachusetts. The indictment alleges that the Washington D.C. law firm was the victim of a phishing email that directed the recipient to click on a link in the email. That click led to the malware infecting the computer. As a result of the malware, the individuals listed in the indictment gained unauthorized access to the law firm’s bank account, using credentials captured by GozNym malware, which ultimately resulted in a $76,178.12 loss to the firm.

The Wellesley, Massachusetts law firm’s loss was as a result of an unauthorized electronic funds transfer in the amount of $41,000, which was the result of login credentials being captured by GozNym malware and then used by the individuals named in the indictment to transfer the funds to an account they controlled.

The losses reported in the indictment are unfortunately the tip of the iceberg, as the actual costs that companies face when hit by a cyber-attack are not confined to the theft of the funds. Forensic costs, legal expenses, costs for notification to affected individuals, and credit monitoring costs are all additional costs that companies face when they are the victims of a data breach. In addition, companies must also address regulatory compliance issues in the event that individual state laws trigger breach notification requirements.

Two lessons to learn from GozNym that may help to protect companies from cyber-attacks: train your employees to recognize what a phishing email is and how to avoid the latest scams, and talk to your broker to determine whether your business is protected with appropriate and sufficient cyber liability insurance coverage.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...