Ransomware actors are targeting tax software files in a bid to dig up highly sensitive data and increase leverage over their victims, including small businesses whose efforts to be tax-compliant could be seriously disrupted.
Late last week, security researcher Vitali Kremez reportedly revealed to BleepingComputer that the recently discovered ransomware program Mount Locker has been targeting files featuring extensions associated with TurboTax software. And just last month, Sophos separately reported that LockBit ransomware actors have been using PowerShell tools to look for tax software on breached networks in order to find juicy targets for potential extortion.
Jamie Hart, cyber threat intelligence analyst at Digital Shadows, said that the trend of targeting individual and business tax filings for ransomware attack has been on the rise.
“In the pay-or-get-breached era of ransomware, leaking tax documents could put more pressure on victims to pay. Other groups will likely follow this tactic as well,” said Hart. “The mindset is likely getting the most profit from an attack. The more sensitive the data, the more likely the organization will feel pressured to pay the ransom demand.”
“The actor’s intention is to push victims into paying – and, obviously, they try to give them as many reasons to pay as they possibly can,” added Brett Callow, threat analyst at Emsisoft. “Locking important and possibly time-sensitive files is one way they can do that.”
While Mount Locker reportedly first surfaced around in July 2020, Kremez said the latest version of the ransomware encrypts files with extensions such as .tax, .tax2009, .tax2013 and .tax2014. Such extensions are affiliated with TurboTax, which is developed by Mountain View, California-based Intuit.
Meanwhile, Sophos researchers analyzing a series of recent LockBit attacks found that the culprits were relying on a PowerShell backdoor and the complementary pen testing tool PowerShell Empire to parse the local Windows registry and perform “checks for software that may indicate the system is of greater value.” This includes tax software under the brand names OLTPro, Lacerte and Intuit ProSeries, as well as several of point-of-sale software programs.
If such software was found, and if the compromised systems passed various other checks designed to avoid anti-malware software and virtual machine environments, then the malicious backdoor would launch the Windows Management Interface Provider Host, which was in turn used to filelessly introduce the final payload of LockBit ransomware via a WMI command.
"A number of ransomware binaries specifically seek to shut down services associated with accounting and tax software, among other line of business applications," said Sean Gallagher, senior threat researcher at Sophos, in an interview with SC Media. "But this attack uses such software's presence as part of the criteria for target selection, giving the attackers information that may be used to determine whether they drop ransomware. This is an automation of a task often done manually by attackers once they penetrate the network, so it's not necessarily precedent-setting, but certainly an escalation of automated targeting of these types of data."
For victims attacked by LockBit, Mount Locker and similar infections, a potential worst-case scenario would be if the extortionists not only encrypt tax files but also steal and threaten to publish stolen tax information on their leak sites. “This scenario could allow sensitive data, such as bank account numbers and social security numbers, to fall in the hands of threat actors that could use the information for fraud or identify theft,” said Hart.
Tax software might be the latest flavor-of-the-month for ransomware attackers, but the steps companies must take to protect themselves generally remain the same no matter what data or files are being targeted.
“The key to safeguarding data and files includes thwarting ransomware attacks before they occur by ensuring that system software is up to date and urging employees to actively exercise security awareness practices,” said Hart.
“Generally speaking, companies should ensure they adhere to best practices: use MFA everywhere it can be used, disable PowerShell when not needed, limit admin rights, patch promptly, etc.” added Callow.
"Tax software developers can offer cloud-based storage and other secure backups to small businesses to ensure they don't lose access to critical data," said Gallagher. "Companies can do a lot to prevent the impact of the ransomware itself, but offsite backups are a good way to prevent data loss from ransomware."
Additionally, "good security hygiene, including securing remote access and deploying up-to-date endpoint and ransomware protection, can go a long way in preventing these attacks from succeeding," he continued.