A Toronto chartered accounting firm is trying to recover after a recent ransomware attack that saw some of its data encrypted after documents were copied and are now being auctioned off on the dark web.
Among those documents, is what is allegedly an April 30 expense form from one of the accounting firm’s main partners; the bank login credentials — including answers to security questions — of another partner; a Goods and Services worksheet that appears to be from a customer; and screenshots of hundreds of folders allegedly from company computers.
Typically attackers post or auction off such data to embarrass victim companies and increase pressure on them to pay a ransom for decryption keys.
The data is being auctioned off by a site known to be run by the REvil/Sodinokibi threat group. It is one of a number of groups that has added data theft to its ransomware weapon, with the added threat of publicly releasing or auctioning off that data to squeeze victims.
IT World Canada isn’t naming the firm because it hasn’t confirmed the breach of security controls. A phone message was left this morning with one of the senior partners. There was no response by press time, although after that message was left a security company that said it is acting for the firm called a reporter to ask if more detail is available on social media sites.
The accounting firm offers a wide range of services including audits, financial forecasts, estate planning, accounting software and implementation, tax services and estate planning.