Toronto accounting firm hit by ransomware

Howard Solomon

4 years ago

A Toronto chartered accounting firm is trying to recover after a recent ransomware attack that saw some of its data encrypted after documents were copied and are now being auctioned off on the dark web.

Among those documents, is what is allegedly an April 30 expense form from one of the accounting firm’s main partners; the bank login credentials — including answers to security questions — of another partner; a Goods and Services worksheet that appears to be from a customer; and screenshots of hundreds of folders allegedly from company computers.

Typically attackers post or auction off such data to embarrass victim companies and increase pressure on them to pay a ransom for decryption keys.

The data is being auctioned off by a site known to be run by the REvil/Sodinokibi threat group. It is one of a number of groups that has added data theft to its ransomware weapon, with the added threat of publicly releasing or auctioning off that data to squeeze victims.

IT World Canada isn’t naming the firm because it hasn’t confirmed the breach of security controls. A phone message was left this morning with one of the senior partners. There was no response by press time, although after that message was left a security company that said it is acting for the firm called a reporter to ask if more detail is available on social media sites.

The accounting firm offers a wide range of services including audits, financial forecasts, estate planning, accounting software and implementation, tax services and estate planning.

Ransomware incidents are now data breaches, noted B.C.-based threat analyst Brett Callow of Emsisoft. That means they are also a significant risk not only to the target company but also to its clients and business partners. There is clear evidence that the data stolen during these incidents are used to attack the companies and individuals to which it relates via spear-phishing campaigns, business email compromise scams, identity theft and other types of fraudulent activity. In other words, one crime can lead to many. And it’s not only the ransomware group that may misuse the data. Information is often sold and traded to other criminal enterprises on the dark web or, in some cases, even auctioned.

“Attacks often succeed due to sloppy security practices such as not patching in a timely manner or not using multi-factor authentication everywhere that it should be used,” Callow said. “This needs to change. Every ransom that is paid incentivizes the criminals and provides them with additional resources to invest in ramping up the scale and sophistication of their operations. That means more victims, more ransoms paid and more money for the criminals to invest. A vicious circle. The only way to stop ransomware is to make it unprofitable, and that means companies must adhere to security best practices so as not to be in the position of needing to pay ransoms.”