Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Malware targets accountancy firms

by
2nd Dec 2013
Save content
Have you found this content useful? Use the button above to save it to your profile.

Accountants’ websites and emails may be targeted by a piece of ransomware that wipes information from their systems if a fee is not paid.

The ICPA discovered that a member had been hit by the Trojan, named Cryptolocker, and that all of his computer’s software and programmes had been completely wiped.

Anita Brown, ICPA senior consultant, issued a letter about the incident, warning other members to be vigilant of the virus.

The "nasty" piece of malware has been around since last year, but only in the last few months has increased in the intensity of its attacks - perhaps due in part to the fact that bitcoin, which it demands as a ransom, has increased in popularity and value.

According to Brown, the malware is targeting computers running on Microsoft Windows. It could appear in the form of either an email attachment that looks legitimate or a pop-up on a website. Once someone has opened an attachment or clicked on a pop-up advert, the software downloads onto the computer and can take a while to take effect.

It encrypts all documents stored to your local computer, and any that are mapped network drives and mountable removable storage, such as connected hard drives and back-up discs.

It then asks the user to hand over two bitcoins, in either MonkeyPak or Ukash prepaid cards. If it isn’t paid within three days, the decryption key is deleted and access to files is lost forever.

“The encryption used is strong, 2048 bit RSA, with the decryption key for your files being stored on a remote server. The odds of being able to break this encryption are almost non-existent,” wrote Brown in a letter to ICPA members.

The ICPA member in question was using a desktop-based accounting package and lost all of his data.

But Aaron Yates, managing director of independent cloud and digital marketing advisors Berea and risk solution Cyber AMI, said that one way he could have recovered his information was if he had it backed up to the cloud.

“The cloud throws up different security risks. But in this instance, if the member had been using cloud-based accounting software, his information would have been easily retrievable,” he said.

Cloud-based accounting software provider Xero confirmed that this was the case with users of the cloud, and managing director Gary Turner said: “The worst that should happen with cloud-based software and data whenever a PC is compromised with malware or a virus is that the user can just clean and reformat their PC from scratch without worrying about losing or restoring their data, or move to a different unaffected device in order to continue working. “

Managing director of another cloud-based accounting software, Barbara Kroll of Twinfield, agreed: "Provided you chose a serious cloud provider with a detailed and sophisticated security policy in terms of anti-virus, anti-hacking, anti-malware, etc precautions, your data will always be safe and ready for use. If you hard disk corrupts, you can just open the software and therefore the data on another device. Easy as pie." 

Therefore, those affected by the malware can restore their details if they are backed up to the cloud or Shadow Volume Copies of files if users have system restore enabled on your computer.

Yates added that it’s highly unlikely that those using Apple and Linux products will be affected.

The ICPA and Berea had some tips and advice for what accountants can do to minimise risk of being affected:

  • Teach your staff to recognise spam/bad emails and make sure they know when not to open attachments
  • Back up your files using either an external hard drive that you disconnect after use, or pay for an online back-up service
  • Switch to a spam and virus-filtered email address
  • Be wary clicking on pop-up ads or other pop-ups on legitimate websites
  • Make sure your operating system is up-to-date with the latest security
  • Install the latest versions of your internet browsers and update add-ons i.e. Java and Flash
  • On Windows 7, double check you’ve set up system restore points or if using Windows 8, configure to keep the ‘file history’
  • Don’t open email attachments from spam emails
  • Act quickly. If you do accidentally download an attachment that is suspicious, bear in mind it is likely to take some time for the encryption to take place. If you immediately download and run an anti-virus programme, it could destroy the CryptoLocker before all your files have been encrypted - however, you will permanently lose affected files. You should also disconnect it from your wireless or wired network. This will prevent it from further encrypting any files in your network

Is this something that you have had experience with? How have you dealt with it?

Replies (7)

Please login or register to join the discussion.

avatar
By glenbogle
02nd Dec 2013 19:04

Microsoft products

The Cryptolocker virus hits  Microsoft Access Excel and word documents - That includes databases in SAGE payroll dears.

Don't go cheap on virus proitection.

 

Thanks (1)
Locutus of Borg
By Locutus
03rd Dec 2013 15:51

Spike in virus e-mails

I have noticed quite a spike in e-mails in the last 48 hours - all "from" Royal Mail and Mastercard and with a virus-laden .zip attachment.

This is no doubt to coincide with the fact that the start of December is the peak for ordering Christmas shopping online.  The scammers have moved on a lot from the old days of the poorly-worded e-mail "from" the deposed Oil Minister of an African country who wants to share his fortune with you if you give him your bank details.

Thanks (0)
avatar
By glenbogle
03rd Dec 2013 21:12

Fed-ex Emails too

Or ones purporting " sending your rewards " have been used to deliver a virus calleed Tatanga  along Cryptolocker .

There is only one defence . have a clean back up available and restore back to it after cleaning all drives.

 

 

Thanks (0)
avatar
By chatman
05th Dec 2013 13:25

Cryptolocker: overwriting your backups.

What if your backup overwrites your encrypted files with the newly encrypted ones. What do you do then?

Thanks (0)
Replying to John Hextall:
avatar
By glenbogle
05th Dec 2013 15:10

I would suggest  going out

I would suggest  going out and replacing all your kit and starting again with a back up that was  taken before the virus hit.

Look for offsite backup

Thanks (0)
Replying to johngroganjga:
avatar
By chatman
05th Dec 2013 15:40

Cryptolocker encrypting your backed up files

glenbogle wrote:

Look for offsite backup

I was referring to offsite backup.

Thanks (0)
avatar
By andrewparker1
11th Jan 2014 11:19

McAfee

My client was hit with this nasty malware. McAfee stopped it but not until after it had done a lot of damage. So even with having up-to-date protection is no guarantee. 

Thanks (0)