Recent Posts

CPAFMA 2018 Firm Manager Salary Survey Launches

CPAFMA Launches Missouri Chapter

Kimberly Fitzgerald, PAFM Honored with ACE Award

Sarah Snell Recognized as a Phenomenal Woman Under 40

Your Next Mission is Waiting

Browse by Category

General News

Browse Archives

October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
October 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
April 2016
March 2016
December 2015
November 2015
October 2015
June 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014

Ransomware Awareness

Published on April 30, 2015 by Roman H. Kepczyk, CPA.CITP, AAAPM, Xcentric

There has been a recent surge of Ransomware attacks on accountants whose workstations were not adequately protected and backed up, leading to some firms paying a ransom and others recreating the data (and wishing they would have paid the ransom instead).  For those of you not familiar with Ransomware, it is a term for malicious software that either locks you out of your computer or encrypts certain files on your hard drive and requires an anonymous payment ($200-$300 in BitCoins) to provide an “unlocking” key, so you can once again access your files.  CryptoLocker and CryptoWall are two of the most recognized names for this type of malware which is usually invoked by one of your personnel clicking on a “suspect” email attachment, that will then deny access to their machine or encrypt all their Microsoft Office documents, image files, and many other standard file types that they use at work, including any that are on mapped network drives that they have access rights to.  Criminal organizations have found this to be so lucrative that they are spawning off new variations such as Virlock, which can self-create a unique version every time it is used (so antivirus programs won’t recognize it) and TeslaCrypt which is expanding attacks to file names associated with well-known online games found on your kid’s computers… which, once infected can spread to other computers attached to the home network (which could be your office PC).

So what can you do about this?  The first step is to keep your computer’s anti-malware and web filtering software up to date, which will block most ransomware.  If you or your IT person are not sure if you have the right tools, hire an external security expert evaluate your applications and security configuration and make recommendations. The next step is to ensure you have separate backups/shadow copies of your data offsite (and not connected to your network), so it can be restored to a specific point in time.  Many users have backup systems that synchronize ALL files between their laptop and a cloud systems so they are exactly the same, which invariably ensures that the malware is backed up as well.  Keeping separate weekly images on external drives or cloud services will allow you to restore to a specific point in time before the virus was invoked.  User file access permissions should be limited where possible, meaning that if everyone has “administrator” rights, any of these users could potentially infect ALL the files on the network!  Finally, it’s very important to educate your personnel about “suspect” email attachments that introduce the virus.  Examples include unsolicited banking notices, shipping notices, or airline ticket invoices from a vendor you have not done business with that makes demands explained “in the attached document.”

If you do become a victim of ransomware, notify your IT person immediately to assess the situation and discuss remediation options.  In some cases they can work around the screen-lock version, but if your files are encrypted, you are out of luck.  If you determine that you do not have any way to recreate/restore the data and a decision is made to pay the ransom, have your IT person pull off the needed files from the infected computer (after the decryption) to a separate drive (not attached to the network), thoroughly scan the data to remove any malware, and then reformat and rebuild the computer, before restoring the cleansed data. If you don’t do this, there is a chance the infection is still present and there is nothing stopping the criminal from hitting you up again.

Roman H. Kepczyk, CPA.CITP, AAAPM, and Lean Six Sigma Black Belt is Director of Consulting for Xcentric, LLC and works exclusively with accounting firms as an outsourced, independent IT partner to optimize internal production workflows within their tax, audit, client services and administrative areas. His Quantum of Paperless Guide ( outlines 32 digital best practices all accounting firm partners need to understand today as well as the 2015 AAA paperless benchmarks.