Threat Intelligence & Incident Response
Why ransomware operators target accounting firms during tax season, the attack chains that work, the recovery timelines firms cannot afford, and the controls that break the chain.
A practitioner note for firm owners, partners, and the IT generalists who keep accounting firms running. If you run or support a firm with two to fifty CPAs, EAs, or tax preparers, you are inside the target zone — and between February 1 and April 15 you are inside the highest-pressure window of your year. So are the operators.
Ransomware operators are economically rational. The February-to-April window checks every box at once.
The deadline is immutable. April 15 does not move because a firm has been encrypted. October 15 does not move for extension filers. The penalty math runs against the taxpayer, the malpractice exposure runs against the firm.
The data is at maximum sensitivity right now. Off-season the tax software holds prior-year returns. During tax season it holds prior-year returns plus current-year work in progress — every W-2, K-1, SSN, EIN, and bank routing number for refund deposit and estimated payments.
The workforce is inflated and under-vetted. Most firms bring in seasonal preparers in late January. Credentials are provisioned fast, training is compressed. The seasonal hire who clicked the IRS-impersonation email on their second day is the most common entry point I see in February through April.
Hours are long and fatigue is high. Saturday hours, Sunday hours, late evenings. People click faster when tired. Operators time their lures to Friday and Sunday evenings deliberately.
Financial-impact leverage peaks. A week of downtime in October is bad. A week of downtime in late March can take the firm's annual revenue with it. Operators price the ransom against what the firm cannot afford to lose.
Client money moves on a predictable schedule. Refund deposits, estimated quarterly payments, and direct-debit installments all flow through the firm's workflow. Operators who have been in the environment know when those movements happen and use it in negotiation.
This is an ecosystem, not a single group. The crews most active against accounting and tax-adjacent SMB targets over the last 18 months include Akira, Black Basta, ALPHV/BlackCat (brand collapsed in early 2024 but affiliates moved laterally), Hunters International, INC Ransom, Play, BianLian, Royal (rebranded as BlackSuit), RansomHub, and Medusa. The Sax LLP breach disclosure filed with the Maine Attorney General and the Wojeski & Company incident that produced a New York Attorney General settlement both sit inside this landscape.
Several operate as ransomware-as-a-service. The playbooks are consistent, which is good news for defenders. Double-extortion is the default — assume any successful intrusion includes data theft.
It usually starts with a phishing email, and during tax season it usually lands with a seasonal preparer or the billing person handling the inboxes that produce the most legitimate clicks.
The lures are tuned to the season:
The payload is a loader. Residual Qakbot variants still circulate; Pikabot dominated 2024; DarkGate and Latrodectus have been the most active loader families across 2024 and 2025. The loader's job is to phone home, establish persistence, and let the operator inside.
Within hours, the operator harvests credentials. LSASS memory dumps are standard. Browser-saved passwords, cached Windows credentials, RDP histories, and the credential manager all get scraped.
Lateral movement targets the tax software server. Cobalt Strike is still the most common C2 beacon, with Sliver, Brute Ratel, and NetSupport RAT in heavy rotation. The operator pivots to the Lacerte network instance, the Drake server, the CCH Axcess on-prem deployment, UltraTax, or ATX. They search for high-value file types — .tax, PDF copies of returns, Lacerte client data files, .qbb QuickBooks backups, .qbw working files, and the source-document tree.
Exfiltration follows, usually to Mega, an S3 bucket on a stolen card, or a rented VPS. Encryption is last, almost always Friday evening through Sunday. By Monday morning the tax software will not open and a ransom note is on every desktop.
Lacerte, Drake, CCH Axcess, UltraTax, ATX, ProSeries — the product varies but the architecture does not. The tax software runs a SQL-style backend containing client master data, prior-year returns, current-year work in progress, e-file submission status, refund deposit routing, and references to source documents.
Encrypt that backend and you have encrypted the firm. Preparers cannot open returns. Reviewers cannot sign off. E-file submissions stop. Amended returns cannot be processed. With April 15 days away, the consequences compound by the hour — and the firm's leverage in any negotiation shrinks with every hour that passes.
If you are reading this in the middle of an active incident:
Disconnect the network at the switch level. Not the WAN router — the switch in the comm closet. Pull every cable or power it off. Unplugging the internet still lets the encryptor finish on the LAN.
Isolate every workstation. Do not power them off. Memory forensics matters. Lock screens, pull network cables, leave machines running.
Call your cyber insurance carrier first. Before the IRS, before the FBI, before the MSP, before you read the ransom note. The policy almost certainly requires the carrier's panel firms. Engaging your own forensics firm first can invalidate coverage.
Do not delete the ransom note. It is evidence the negotiator will need.
Document everything in a paper notebook. Times, names, decisions, calls. The laptops are evidence.
Confirm offsite immutable backups exist and are unreachable from the compromised network. Do not connect to them yet. If the backups were on the same domain or used the same credentials, assume they are gone.
Notify the IRS Stakeholder Liaison within 24 hours. IRS Publication 4557 directs tax professionals to report data theft promptly. The Stakeholder Liaison process is covered in our writeup on IRS Publication 4557 and the FTC Safeguards Rule for CPA firms.
Do not pay, do not click links in the ransom note, do not negotiate. Breach counsel and the carrier's negotiator handle that.
The first week is structured by the cyber insurance carrier, the IRS Stakeholder Liaison process, the FTC Safeguards Rule, and state breach notification law, in roughly that order.
Forensic investigation. The carrier-appointed panel firm images systems, identifies the entry point, scopes exfiltration, and confirms whether the threat actor is still inside. Five to ten days for a small to mid-size firm. Scope determination covers which clients, which tax years, which return types, and whether bank routing numbers or prior-year PDFs were in the exfiltrated set.
IRS Stakeholder Liaison. The Liaison coordinates with IRS Return Integrity and Compliance Services to flag affected taxpayer accounts against fraudulent return filing, and walks the firm through expedited PTIN and EFIN re-verification if either was compromised. Pub 4557 Section 5 is the operational reference.
State authorities. Many states require parallel reporting when a preparer is breached, and most run a 30-to-60-day breach notification clock from discovery when SSNs, financial account numbers, or tax IDs were exfiltrated. Breach counsel coordinates filings; affected-taxpayer letters require specific identification of data categories exposed, remediation steps, and credit monitoring offered.
The tax-deadline question. The IRS has discretionary authority under disaster-related procedures to grant filing and payment relief. In practice, the firm files a written hardship request through the Stakeholder Liaison, supported by forensic findings and breach counsel attestation. Relief is not automatic, but case-by-case extensions have been granted for documented cyber incidents. File early, document thoroughly.
Paying does not guarantee data return. The decryptor may be partial, slow, or broken. Exfiltrated data may be published or sold regardless. Several operators and affiliates are sanctioned by OFAC, making payment a federal violation independent of operational pressure.
Cyber insurance carriers now require pre-approval, run OFAC screening, and exclude payments to sanctioned entities. The FBI's standing guidance remains do-not-pay. I align with that guidance.
I have also sat with firm owners whose backups failed in mid-March and who paid because the alternative was the firm. Some firms have paid; outcomes vary, and in several documented cases the exfiltrated data appeared on leak sites even after the ransom was paid. The decision is made with breach counsel and the carrier on the call — not at 9 p.m. on a Saturday alone with a countdown timer.
This is the section that matters. Everything above is what happens when nothing is in place. Here is what stops it.
Huntress Managed EDR on every endpoint AND on the tax software server. Most firms cover workstations and skip the server "because it's not a workstation." That is exactly the machine the operator is coming for. The ransomware canary catches encryption behavior in sub-millisecond time, and the loader stage — Pikabot, DarkGate, Latrodectus, residual Qakbot — gets caught and investigated by the SOC before lateral movement begins. See the Managed Detection and Response service page.
Huntress Managed ITDR on Microsoft 365 or Google Workspace. Catches the BEC that delivers the loader, the malicious inbox rule that hides attacker activity, and the account takeover that often precedes ransomware by weeks. Most firms we onboard during tax season already have at least one compromised mailbox they did not know about. See the Managed ITDR service page.
MFA on the tax software admin account. Lacerte, Drake, CCH Axcess, UltraTax, and ATX all support it. Most firms do not enable it because "it slows me down during tax season" — exactly the argument the operator counts on. App-based or hardware token, not SMS.
Immutable offsite backups following the 3-2-1-1-0 rule. Three copies, two media types, one offsite, one immutable, zero errors on the last verified restore. Tested quarterly. Test before February, not during.
Network segmentation between the front office and the tax software server. Guest wifi and the staff workstation network should not share a VLAN with the tax software server.
Security awareness training with tax-season-specific phishing simulations. Generic annual training is checked once and forgotten. Training tuned to IRS-impersonation themes, EFIN suspension lures, ADP and Gusto lookalikes, and e-file rejection notices materially reduces the click rate on the lures that actually land in February through April.
Seasonal-contractor credential lifecycle. Provisioned in late January with documented permissions. Deprovisioned April 16 — or October 16 for extension preparers — no exceptions. The dormant seasonal account still active in July is the account the operator finds in September.
A documented incident response plan and a cyber insurance policy you have actually read. Both on the cyber insurance readiness page.
Most small accounting firms use a generalist MSP that holds tax software admin credentials, domain admin rights, and backup system access shared across multiple firm clients, and accesses the firm's network through a remote management platform — ConnectWise ScreenConnect, N-able, Datto RMM, Kaseya, Atera — which is itself a high-value target.
If the MSP is compromised, every accounting firm they service is in scope simultaneously. This pattern has been documented in publicly disclosed mass-impact advisories across 2024 and 2025.
This is not an indictment of every MSP. It is structural. Your MSP's security posture is functionally your firm's security posture. Ask whether they have MFA on their RMM, EDR on every technician laptop, a credential vault that is not a spreadsheet, and per-client credentials for privileged access. The security layer needs to be operated independently of the IT layer — the model we run on the accounting industry page.
Three things, in this order.
Read your cyber insurance policy end to end, especially the required-controls section and the incident response panel. If your controls do not match the policy, fix that gap before you need to file. A denied claim in late March is worse than no policy at all.
Audit administrative access to your tax software, Microsoft 365 or Google Workspace tenant, backup system, and domain. Remove anyone who should not be there — start with last year's seasonal credentials. Confirm phishing-resistant MFA on everyone who remains. Include your MSP — the shared credentials are usually where the surprise lives.
Schedule a backup restore test of the tax software database to a non-production environment, witnessed by a partner, with written confirmation that the database opened cleanly and a sample return was retrievable. If your provider cannot or will not perform that test, you have your answer.
If you want a practitioner's read on where your firm stands, that is what we do. Start at the accounting industry page or the cyber insurance readiness page. The weekly threat briefing tracks the operators and loaders named in this article in real time.
Attackers do not need your firm to be unprepared. They need it to be more unprepared than the one across town. Closing that gap is achievable, and the controls that close it are not exotic — they are operational discipline applied consistently, before February rolls around again.
Last updated
May 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Tax season concentrates everything an operator wants in one ten-week window. The data inside the tax software at that moment is at maximum value — prior-year returns, Social Security numbers, EINs, bank routing details, and live work-in-progress returns for hundreds or thousands of clients. The firm cannot tolerate downtime because the April 15 deadline is statutory. Seasonal contractors are onboarded fast with new credentials and minimal training. Staff are working extended hours and weekends, which means fatigue and faster clicks. And the firm's revenue for the year is concentrated in this window, which maximizes the leverage of a ransom demand. Operators time their campaigns to this calendar deliberately.
Disconnect the network at the switch level — not just the WAN router. Isolate every workstation but leave machines powered on for memory forensics. Call your cyber insurance carrier before anyone else, including before reading or responding to the ransom note, because the policy almost certainly requires the carrier's panel firms. Do not delete the ransom note — it is evidence. Document everything in a paper notebook, not on the affected laptops. Verify that offsite immutable backups exist and are unreachable from the compromised network. Notify the IRS Stakeholder Liaison within 24 hours.
Yes. IRS Publication 4557 directs tax professionals to report data theft and security incidents to their assigned IRS Stakeholder Liaison promptly — typically within 24 hours of discovery. The Stakeholder Liaison process exists specifically for tax professionals and coordinates with the IRS Return Integrity and Compliance Services group to flag affected taxpayer accounts against fraudulent return filing. Failure to notify can create downstream problems with EFIN status and PTIN renewal, and most state tax authorities have parallel reporting expectations.
No. FBI guidance remains do-not-pay, and paying does not guarantee data return, working decryptors, or that the exfiltrated data will not be posted on a leak site anyway. Several ransomware operators and affiliates are sanctioned by the US Treasury's OFAC, which makes payment a federal violation independent of operational pressure. Cyber insurance carriers now require pre-approval before any payment and run OFAC screening on the operator. Some firms have paid; outcomes vary. The decision is made with breach counsel and the carrier on the call, not alone at midnight with a countdown timer.
Often yes, but only if the firm meets the policy's required controls at the time of the incident. Insurers increasingly require MFA on privileged accounts, MDR or EDR on every endpoint including the tax software server, tested offsite immutable backups, and email security controls. If those controls were not in place, the claim can be denied or reduced. Coverage limits for accounting-sector policies have tightened, and most carriers require pre-approval before any ransom or extortion payment. Read the required-controls section of the policy before you need to file.
There is no single federal taxpayer-breach notification statute equivalent to HIPAA, but most state data breach laws apply when Social Security numbers, financial account numbers, or tax identifiers were exfiltrated — and they almost always were in a tax-software intrusion. State clocks typically run 30 to 60 days from discovery. The FTC Safeguards Rule applies to tax preparers as financial institutions and has its own notification requirements. The IRS Stakeholder Liaison process is separate and runs in parallel. Breach counsel coordinates the filings.
The IRS has discretionary authority to grant filing and payment relief under disaster-related procedures, and has granted case-by-case extensions when a firm has been demonstrably unable to file due to a documented cyber incident. The mechanism is a written hardship request through the Stakeholder Liaison, supported by the forensics findings and breach counsel. Relief is not automatic, and it does not relieve the taxpayer's underlying obligation — it shifts the operational deadline. Filing the request early and providing detailed documentation materially improves the outcome.
Five to twenty-one days for a full tax software server restore for a small firm with tested immutable backups, MDR coverage, and an incident response retainer in place. Four to eight weeks for a firm without tested backups, or one whose backup vendor was also encrypted. During tax season, every day of downtime compounds — backlog, missed deadlines, client churn, and reputational damage extend the operational impact months beyond the technical recovery.
Related reading
A practical first-24-hours ransomware checklist for small businesses: isolate systems, preserve evidence, call the right parties, and avoid the panic moves that make recovery worse.
Read articleHow BEC and wire-fraud unfold in CPA firms — refund redirect, payroll wire interception, vendor payment scams — and the controls that catch the chain before the wire leaves.
Read articleHow BEC and wire fraud actually unfold in a dental practice — the supplier-impersonation pattern, the inbox-rule trick, the controls that catch it, and what to do in the first 4 hours.
Read article