Although ransomware as a form of cyberattack has been around for over 20 years, the success of early ransomware attacks fueled a 43% increase in the number of ransomware incidents from 2015 to 2016. And, if it wasn’t before, the Petya and WannaCry attacks of 2017 made ransomware a household name. While large scale attacks against global organizations make headlines, CPA firms of all sizes are also vulnerable to this type of attack. The primary goal of a ransomware attack is money, but, as CNA’s (the underwriter of the AICPA Professional Liability Insurance Program) claim experience has demonstrated, even if a ransom is paid, there’s no guarantee that the attacker won’t come back asking for more. In addition, these cybercriminals may have left a little something behind on the firm’s network, with the secondary goal of obtaining confidential information.
Consider the following real-life example of a ransomware attack on a CPA firm.
An office manager at a CPA firm received a message on his computer screen advising that the firm’s files had been encrypted and demanding payment in bitcoin in order to decrypt the files. The firm made the business decision not to pay the ransom. Rather, it shut down, discontinuing use of the infected computers and restoring files from a backup. Several weeks after the incident, the firm noticed an unusually high number of e-file rejections, and some of the firm’s clients reported receiving unsolicited letters from the IRS regarding requests for tax transcripts. Finally, a handful of clients contacted credit bureaus and learned that unauthorized individual(s) tried to establish credit in their names.
Sensing something was amiss, the CPA firm, through its insurer, retained privacy counsel and conducted a forensic investigation to determine whether its network had been compromised and if there was unauthorized access to confidential data as a result. The investigation confirmed exfiltration of protected information, which required notification obligations and availability of credit monitoring for approximately 11,000 individuals, as well as notification to various State Attorneys General.
How a ransomware attack works
Ransomware is a form of malware that infiltrates a system by taking advantage of open security vulnerabilities such as infected software applications or external storage devices, compromised websites, and, more frequently, malicious links or attachments sent in phony emails by the attacker. Once the malware has been downloaded on the target device, it begins encrypting the user's files unbeknownst to the user. Once the malware has finished, a message displays on the device announcing that the user is locked out of their files and asking for a ransom payment in bitcoin, an untraceable digital currency, to regain access to the files. A time limit of three to four days is typically imposed before the encryption key is destroyed, rendering the affected files unreadable – forever.
Rise and evolution of ransomware
In early versions of this attack, the software would only encrypt the contents of the local machine where it had been installed. In more recent versions of a ransomware attack, the software attempts to encrypt removable drives, such as USB hard drives and flash drives, as well as network drives – even backups.
What else has changed? Early attackers targeted the internet at large, and the malware affected both individuals and businesses. The public sector, private sector and the government became notable victims. In more recent years, however, the allure of a bigger payout has shifted the attackers’ focus from targeting individuals to targeting more vulnerable organizations with the ability to pay larger ransoms. Small businesses are especially vulnerable inasmuch as they may lack the security infrastructure and expertise of larger organizations. Cybercriminals are probably well aware of this small business Achilles heel.
Beyond extorting money from the ransomware victim, more sophisticated cybercriminals have turned into entrepreneurs, offering their malicious product to other criminals who may not have the technological savvy or resources to develop their own malware. This model spreads the cybercriminal’s product through multiple distributors in exchange for a cut of the profits. “Ransomware-as-a-Service” is not a new trend; however, this model seems to be increasing in popularity. The ease with which malware can now be obtained and implemented only increases the frequency of such attacks.
What can your firm do to help safeguard its data?
Although there is no way to completely eliminate the risk of being victimized by a ransomware or other kind of data security attack, there are a number of preventative measures to help manage this exposure:
- Regularly train employees on ransomware and other attack methods including how attacks are distributed.
- Proceed with extreme caution when opening email attachments or clicking on Internet links even when the message appears to come from someone you know. If you were not expecting the message or attachment, confirm its authenticity with the sender.
- To confirm the sender’s authenticity, verify “out of band”, meaning to give the sender a call using a known phone number. Attackers will frequently impersonate known contacts in order to increase their chance of success. Confirmation is especially important if a message appears to come from a known acquaintance but seems suspicious.
- Do not download software from untrustworthy or unfamiliar websites. The same lesson applies to mobile applications.
- Back up important files regularly and keep at least one copy “offline,” meaning disconnected from your network, to prevent that backup from being infected by the malware.
- Ensure that the firm’s operating system and third party software are properly patched (i.e., Internet browsers, Flash, Java and Adobe Reader). Turn on automatic installation of patches where possible. Patches often remediate a security bug, and it is best to install them immediately.
- Utilize antivirus software with up-to-date definitions. It is important to note that antivirus will not catch all malware, but it does help.
- Follow the principle of least privilege by giving partners and employees the minimum level of user access rights needed to perform their responsibilities. Where an individual is required to have administrator level access, extreme caution should be applied when on the internet or when opening documents or links. The combination of administrator access and ransomware can be a devastating event for a firm as the attacker potentially has control over all the firm’s data and systems.
- Disable macros in Microsoft Office as they are a frequent path or means by which attackers can gain access to a system to deliver ransomware.
- Do not forget that third party vendors may have access to the firm’s confidential data. Vendors should employ similar processes and controls to help safeguard the firm’s confidential information.
- Address the firm’s residual risk of a data security incident through appropriate cyber liability insurance coverage.
If your firm has been infected with ransomware, it is important to take action quickly. Primary concerns for a firm will involve a determination of how to best recover the data (from backup or by unencrypting), ensuring that the environment is clean and that the ransomware did not leave another form of malware on the firm’s network, and taking steps to prevent reinfection.
Framework Helps Assess Cybersecurity Risks
A ransomware mitigation and response plan is just one piece of a robust cybersecurity risk management program. The American Institute of CPAs’ cybersecurity risk management reporting framework can help your firm assess and report on your existing cybersecurity risk management program. It provides a framework for identifying program shortfalls, establishing cybersecurity objectives, and fostering awareness within your firm.
While ransomware is an increasing problem, the most important step to confronting this growing menace is a proactive awareness of the risks, and implementation of strategic measures to help reduce the risk. With the proliferation of mobile devices, numerous additional access points exist for hackers to breach. How can you ensure that your system remains secure? Knowledge is power. By being informed and prepared, you can help ensure that your business does not become a statistic.
Nick Graf (firstname.lastname@example.org) is a risk control consulting director for information security at CNA. Sarah Ference (email@example.com) is a risk control director for accountants professional liability at CNA.
The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date the article was developed. The information, examples and suggestions presented in this material have been developed from sources believed to be reliable. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional and should not be construed as legal or other professional advice. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. CNA recommends consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites. To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporations subsidiaries use the “CNA” trademark in connection with insurance underwriting and claims activities. Copyright © 2017 CNA. All rights reserved.
 Verizon, 2017 Data Breach Investigations Report 10th Edition , p. 35 (2017), http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
 Verizon, 2017 Data Breach Investigations Report 10th Edition , p. 36 (2017), http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/