BLUF

With tax season approaching, two shifts in ransomware tactics combined could have more effect than previously seen – targeting of organizations rather than individuals and publishing rather than destroying the victim’s internal data. A dangerous combination, the incorporation of both tactics could force victims to pay the ransom if we are lucky, with impacts from lack of payment potentially severely damaging clients in ways more personal than previously seen.

Background

In light of the release of W2 and other tax-related information for US-based workforces, the IRS has publicly recognized a shift in threat actor tactics to focus on targeting tax preparation services starting in 2020. This follows the upward trend of targeting of organizations rather than individuals by more sophisticated cyber criminals. Similarly, there was a rise in ransomware use as tool of choice for threat actors against victim organizations. In 2020 there was a marked increase in ransomware used against targeted organizations.

Ransomware groups have decided recently to publish the data for nonpaying victims – forgoing the traditional threat of deleting the encrypted victim data. This not only eliminates the reassurance of recovery through backup data copies, it also opens up a new fear of the unknown.

·         What will be included in the files released?

·         Do we have customer data that would lead to further exploitation for them with liability for us?

·         Do we have internal communications we don’t want becoming public?

None of the answers to those questions will be good.

Considerations

Taking into account the damage and the liability held by any organization suffering a punitive data release, the potential results of a tax preparation service undergoing a ransomware attack with disclosure from non-payment would be disastrous. This plays into a criminal’s selection, just as healthcare and local governments were in 2019. When the average ransomware payout listed as US$111K, it seems a small price to pay when confronted by the lawsuit impending from a public disclosure of tax records. Further, feeding the success will promote public disclosure as a viable ransomware tactic for improved returns on criminal efforts.

When you are considering a preparation service, especially with a private practice, you are within your rights to ask about their security practices and how your data is protected. You data is paramount, with tax data falling just behind your health records in being irreplaceable. If a criminal were able to post the information to be used by identity thieves, full recovery will be difficult if not impossible.

-scl