This is a notice for site visitors.

The Latest

War Story 117 – Ransomware Attack

A staff member of a mid-size CPA firm logged into a public wi-fi network at a coffee shop and spent the morning working on firm files while on the public network. A few days later the employee received an email message from a hacker stating that a ransomware attack had encrypted all of the firm’s files and that all of the files would remain encrypted until a ransom of 2.5 Bitcoin (about $10,000) had been paid.

The employee notified the firm’s managing partner, who contacted the firm’s cyber insurance provider. The provider engaged an attorney and an IT forensics expert to conduct an investigation to determine the extent of the breach. The investigation found that the computer network’s credentials, sensitive data, and personal identity information had been accessed by the hacker. The hacker had also accessed the firm’s tax and accounting software programs. Worse, the firm’s backup files, which had been stored in a location that was connected to the firm’s computer network, were accessed by the ransomware and encrypted by it.

The encrypted backup files meant the firm had little option but to pay the ransom, even though a ransom payment would not guarantee that the files would be unencrypted. The Bitcoin vendor charged $850 to convert dollars into Bitcoin.

After the ransom was paid, the files were unencrypted, but data restoration services were required to secure the sensitive data and information and to apply security encryption to it. Backups had been performed weekly prior to the attack, so several days of work was lost.

Affected clients were located in several states, and legal counsel helped determine each state’s requirements for notifying clients and law enforcement agencies. Notification letters were prepared and mailed, a call center was set up to handle questions from clients, and credit monitoring services were offered to clients.

Expenses totaled about $40,000. The firm’s cyber insurance program covered the expenses other than the insurance deductible and advised the firm on how to better manage its future cyber risk exposures.

After reading the following questions, select the one answer that is the best response.

1. How had the hacker initially accessed the firm’s computer network?

a. The staff member was using a simple password.

b. The staff member was using a public wi-fi network.

2. How had the hacker accessed the firm’s tax and accounting software programs?

a. The firm was using simple password configurations.

b. The firm was using the same passwords on multiple devices/accounts.

c. Both a and b are correct.

3. How could the firm have reduced its losses due to the backup files being encrypted?

a. Protect the backups in a remote or external location, such as a secure cloud service, where they are safe from ransomware seeking out backup copies.

b. Perform backups daily to reduce the amount of lost work.

c. Both a and b are correct.

4. What is the best way to prevent most cyber losses?

a. Have a good cyber insurance program in place.

b. Educate, train and remind firm staff members frequently about good cyber-hygiene, safe practices, and do’s and don’ts.



a. Incorrect. The simple password was not the main culprit here, but it did help the hacker access the firm’s software once they were in the network. Passwords should be strengthened with a mix of special characters, numbers and letters. Also, require staff members to use different passwords on multiple devices/accounts.

b. Correct. Public wi-fi networks are generally not secure. A hacker can use keystroke logger malware to see the user’s UserID and password. If you are away from your home or office, ask the business you are patronizing whether it offers private password protected networks.


a. Correct, but there’s a better answer.

b. Correct, but there’s a better answer.

c. Correct and the best answer. Require staff members to use strong passwords that contain a mix of special characters, numbers and letters to keep them from being easy to figure out. Also, require staff members to use different passwords on their multiple devices/accounts.


a. Correct, but there’s a better answer.

b. Correct, but there’s a better answer.

c. Correct and the best answer. The combination of protecting backups in a remote, safe location, and performing backups frequently, will help reduce risk exposures from ransomware and lost work.


a. Correct, but there’s a better answer. A good cyber insurance program is a must-have for protection against losses, and it should provide risk management guidance and resources for preventing losses. There’s a better first step for preventing most losses, though.

b. Correct, and the best answer. Educating, training and reminding firm staff members frequently about the dangers of computer usage are the best ways to prevent most losses. For example, staff should be trained to avoid clicking on links, attachments, PDFs, WAV files, pop-ups, and other potential malware carriers. These steps will reduce many cyber-losses. By going directly to a website for information or confirmation, or making a phone call to verify an email, staff will reduce cyber risks. For more tips visit the CAMICO Members-Only Site ( and click the Cyber/Data Security Resource Center.

“War Stories” are drawn from CAMICO claims files and illustrate some of the dangers and pitfalls in the accounting profession.

Share this article