Ransomware 2.0 – What to expect next

By Jamie Yoo, CISA and Nick Graf, ARM, CISSP, CEH

October 27, 2020

As keepers of sensitive personal and financial information, CPA firms are enticing to tech-savvy cyber attackers looking for a convenient, one-stop-shop to exploit. CPA firms need to be just as aware of cybersecurity threats as they are of filing deadlines and compliance guidelines. One of the most prevalent and damaging threats affecting accounting firms is ransomware.

Just as the name implies, ransomware is a type of malware that attempts to deny access to a user’s data, holding it “hostage” in exchange for a ransom. Demands often threaten that data will be permanently deleted or published. While the financial implications of ransomware may be top of mind for many, it is also hard for CPA firms to dismiss the intangible toll that the data breach may take on client relationships.

While most CPAs are aware of the basics of ransomware, the tactics used by ransomware attackers have evolved to avoid traditional means of detection and evade commonly known fixes. As cyberattacks get more and more sophisticated, CPAs’ knowledge of threats should become sophisticated too.

New tactics to avoid detection

Traditionally, ransomware has involved gaining access to a computer, quickly encrypting the contents and delivering a message to demand payment. Established methods to protect against such types of ransomware include endpoint detection and response (EDR) solutions or other forms of malware-blocking software that automatically prevent malware attacks.

Recently, to thwart automated ransomware defense mechanisms, cyber attackers have become creative in their tactics to ensure they’re interacting with a human target. An example is using CAPTCHA tests to lure an unwitting user to identify a blurred letter or match images to ensure that the target is indeed human. This tactic enables cyber attackers to ensure that their attack will not be thwarted by an automated mechanism and exploits potential for human error, which may dubiously lead the user to a malicious link or downloads.

Increasing complexity of payment extractions

The ways in which ransom payments are extracted have also evolved. Previously, attackers would encrypt host data and offer the decryption key in return for a ransom payment. As more CPA firms have become better prepared (through better data backup practices) or made the ethical decision not to pay ransom demands, attackers are turning up the pressure through a multi-faceted approach.

In addition to their customary method of encrypting the data and demanding payment for decryption, attackers may also extract a copy of data in addition to encrypting it on the target’s computer. If their initial payment demand is rebuffed, they’ll threaten to publish the extracted copy unless a payment is made to delete the data. When the ransom is not paid, attackers have also resorted to auctioning data to the highest bidder on the dark web.

Decryption tools can present risk

While decryption tools had been created for many types of ransomware, beware of malicious or poorly designed decryption tools that may purposely cause harm or inadvertently corrupt the encrypted data, rendering recovery impossible.

One of the most unpleasant and uncertain aspects of dealing with a ransomware event is concluding that a payment must be made. Once the determination to pay has been made, the next question becomes, “will the cyber attackers uphold their end of the bargain when the payment is made, and delete the data as promised?”

While favorable outcomes cannot be guaranteed, consider engaging data security professionals to navigate through the assessment of the data, the reputation of the attacker, and options for recourse, whether it is decryption of the data or brokering ransom payments.

What’s next?

While traditional means of inciting incidents will continue, the most pertinent area firms should focus is mobile devices. The COVID-19 pandemic has caused more and more CPA firms to enable the use of mobile devices for employees to work remotely. As such, CPA firms should factor in mobile devices when considering defense measures for evolving cybersecurity attacks like ransomware.

What can you do?

Cybersecurity is like a moving target. Staying vigilant in maintaining the security practices in place and keeping up-to-date about cybersecurity threats facing a CPA’s practice is not only prudent, it’s also critical. Consider the following simple strategies to start:

  • Protect against phishing schemes: A prominent vector that often leads to ransomware events is phishing. Phishing is a form of social engineering in which a bad actor uses various technological channels, typically an email, to solicit personal information from a targeted individual or company by posing as a credible source. To address the risks associated with phishing attacks, consider implementing the following measures:

1)      Train and remind employees to consider the following tips to help identify phishing attacks:

o   Do not respond to requests for sensitive information (i.e. account details, tax return information, etc.) especially if the request is marked as “urgent,” without verifying the validity of the requester, even if it appears to have come from a colleague or client. If the request is obtained via email, confirm directly with the requesting using alternative, verified contact information such as phone numbers.

o   Links and attachments from unknown or questionable senders should not be opened without verifying the authenticity of the message or request. When an embedded link in a message appears suspicious or unfamiliar, hover over the link to view the full URL, or use tools such as URL checkers to confirm the safety of a suspicious link before clicking on it.

2)      Use anti-phishing tools that provide following types of capabilities:

o   Preventive means to scan for and block malicious links, attachments, or accounts;

o   Simulation of phishing attacks to reinforce employees’ phishing attack awareness and detection savvy;

o   Post-delivery capabilities to intercept and neutralize malware or ransomware if phishing message is opened

  • Follow security professionals and experts: Cybersecurity is at the top of mind for many, and as such, there are many cybersecurity experts and professionals who regularly share news, opinions, and tips through their social media channels about developing trends and events.
  • Check vulnerability alerts and advisories: Pay special attention to vulnerability alerts issued by system vendors to stay current on patches or periodically visit their product support pages to stay up-to-date on vulnerabilities, or updates on potential system outages.

Additionally, set periodic reminders to search vulnerability databases such as the Computer Emergency Readiness Team Coordination Center (CERT/CC) Vulnerability databaseor the National Vulnerability Database to determine whether information related to vulnerabilities noted for products used in your practice are included.

  • Be prepared: Assume that data security incidents will occur and do not overlook investing in mitigation and recovery, which should include creating a plan to respond to a successful attack. Before creating a formalized plan, contemplate answers to questions such as, “Will I shut down the system and access altogether?” “What will we do to identify and recover stolen data?” “How will we identify the affected clients or individuals and notify them?” to identify potential gaps in your current plan. Depending on the gaps identified, determine whether security professionals or experts may need to assist in fortifying the firm’s security plan and strategy.

In conclusion

CPAs are privy to and hold client information in their care, so they are especially lucrative to cyber attackers. Regardless of size, CPAs firms big and small should heed the advice embedded in the colloquial saying, “better safe than sorry” when devising a cybersecurity risk mitigation strategy.

This information is produced and presented by CNA, which is solely responsible for its content.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. CNA recommends consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations.

Any references to non-CNA web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such web sites.

To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy.

Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

“CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2020 CNA. All rights reserved.