Ransomware Awareness

There has been a recent surge of Ransomware attacks on accountants whose workstations were not adequately protected and backed up, leading to some firms paying a ransom and others recreating the data (and wishing they would have paid the ransom instead).  For those of you not familiar with Ransomware, it is a term for malicious software that either locks you out of your computer or encrypts certain files on your hard drive and requires an anonymous payment ($200-$300 in BitCoins) to provide an “unlocking” key, so you can once again access your files.  CryptoLocker and CryptoWall are two of the most recognized names for this type of malware which is usually invoked by one of your personnel clicking on a “suspect” email attachment, that will then deny access to their machine or encrypt all their Microsoft Office documents, image files, and many other standard file types that they use at work, including any that are on mapped network drives that they have access rights to.  Criminal organizations have found this to be so lucrative that they are spawning off new variations such as Virlock, which can self-create a unique version every time it is used (so antivirus programs won’t recognize it) and TeslaCrypt which is expanding attacks to file names associated with well-known online games found on your kid’s computers… which, once infected can spread to other computers attached to the home network (which could be your office PC).

So what can you do about this?  The first step is to keep your computer’s anti-malware and web filtering software up to date, which will block most ransomware.  If you or your IT person are not sure if you have the right tools, hire an external security expert evaluate your applications and security configuration and make recommendations. The next step is to ensure you have separate backups/shadow copies of your data offsite (and not connected to your network), so it can be restored to a specific point in time.  Many users have backup systems that synchronize ALL files between their laptop and a cloud systems so they are exactly the same, which invariably ensures that the malware is backed up as well.  Keeping separate weekly images on external drives or cloud services will allow you to restore to a specific point in time before the virus was invoked.  User file access permissions should be limited where possible, meaning that if everyone has “administrator” rights, any of these users could potentially infect ALL the files on the network!  Finally, it’s very important to educate your personnel about “suspect” email attachments that introduce the virus.  Examples include unsolicited banking notices, shipping notices, or airline ticket invoices from a vendor you have not done business with that makes demands explained “in the attached document.”

If you do become a victim of ransomware, notify your IT person immediately to assess the situation and discuss remediation options.  In some cases they can work around the screen-lock version, but if your files are encrypted, you are out of luck.  If you determine that you do not have any way to recreate/restore the data and a decision is made to pay the ransom, have your IT person pull off the needed files from the infected computer (after the decryption) to a separate drive (not attached to the network), thoroughly scan the data to remove any malware, and then reformat and rebuild the computer, before restoring the cleansed data. If you don’t do this, there is a chance the infection is still present and there is nothing stopping the criminal from hitting you up again.

Roman H. Kepczyk, CPA.CITP, AAAPM, and Lean Six Sigma Black Belt is Director of Consulting for Xcentric, LLC and works exclusively with accounting firms as an outsourced, independent IT partner to optimize internal production workflows within their tax, audit, client services and administrative areas. His Quantum of Paperless Guide (Amazon.com) outlines 32 digital best practices all accounting firm partners need to understand today as well as the 2015 AAA paperless benchmarks.